A fresh rant coming on...
Started: Thursday, February 5, 2004 00:38
Finished: Thursday, February 5, 2004 02:06
The Linux fanatics are attacking! Wow, I haven't seen FUD this bad in quite a while. First, a choice quote or two:
What is it about operating systems that turns people into fanatics? A number of years ago it was unsafe for any Windows user to hang around Macintosh fans; today, it seems no one is safe from the "penguinistas," as Linux fanatics are called, after the system's penguin emblem.
That's only the beginning....
There is some comfort in suspecting that MyDoom was the creation of a large community of people, such as the open-source community that stands behind Linux. If so, then their rage is limited to a specific campaign, which could soon be ended. If not -- meaning if a rogue programmer created MyDoom -- then we don't know what the motive is, and moreover we are left with the uncomfortable knowledge that millions of computers and networks worldwide can be at the mercy of one evil genius.
After several paragraphs of this sort of factually erroneous suppositions, speculation, and flamebait, the last half of the article launches into an awkward segue about some proposed standards for preventing forged email headers at the ISP level (naturally, that part is also short on factual information, and heavy on vague generalities).
Now I shall make my own unsubstantiated bit of speculation. Is the author of this article secretly on the MS payroll? If not, then why does he present such a bizarrely skewed picture of things? While throwing baseless accusations at the Linux community, claiming Linux users as a whole might be responsible for creating the latest batch of email worms, he manages to completely avoid talking about the most culpable party -- the company that created the conditions which make it easy for such viruses to propagate: Microsoft.
Now, for a more general rant. On the so-called operating system "fanatics". This is a term that has been bandied about for years to describe many Linux users, and it is not entirely without basis. People who get into Linux, especially the hobbiests who comprise traditional Linux users (distinguished from the more recent crop who use it only in a work environment), tend to get vocally excited about it because it's so cool. I am one of these people, although I don't expound about it quite as much as I used to. It's now so regular that it's just part of the background, like a piece of well worn furniture that reliably does its job without having to be paid much attention.
So, we are Linux fanatics. The author of the article claims we are called "penguinistas". That's the first usage I've seen of this particular term. But he proceeds to call us that, so I guess he's right. That what we're called. Penguinistas.
A brief mention is also made of Macintosh fans in passing, saying that back in the day, it was unsafe for a Windows user to hang out with them. Exactly why it would ever be "unsafe" for a Windows user to come near a Mac user, much less a Linux user, is not explained, but nevermind that. (I should think that in the context of spreading email viruses, it would be most unsafe for Windows users to come in contact with other Windows users, given that Windows is the platform on which such viruses spread. But we left the land of reason long ago.)
While pouring out these scorching indictments upon users of alternative platforms, he mysteriously fails to mention that other brand of OS fanatics: The kind that use Windows. (I'm not saying that all Windows users fall into this category, but many do; some without even knowing it.)
Windows fanatics -- or maybe a better term here would be "Microsoft fanatics" -- arrogantly assume that everybody in the world uses not only the same operating system, but also the same word processor, the same web browser, and the same email client that they do. They blithely send out textual information encoded in binary files with the infamous .doc extension, and expect everybody else to pretend that this is a "standard".
They create what they claim to be "web pages", even though such things can often only be viewed in one type of browser, and bear no resemblence to conforming to any specifications published by the w3c.
How many of the so-called "Linux fanatics", or "Macintosh fanatics", go around pushing information at other people in file formats that are only native to their particular platform, and expect everybody else to conform to their ways? Who are the real fanatics here?
Now, skipping past the unquestioned assumption that the SCO Group "holds the patents and copyrights" on chunks of Unix code contained in Linux, let's get to the article's claim that maybe the whole Linux community is behind MyDoom. The auther finds this idea, preposterous as it is, easier to handle than a lone "genius" being able to single-handedly screw up millions of computers around the world.
Newsflash. It doesn't take a "genius" to write an Outlook virus. Any half competent VB programmer in middle school could come up with such a thing. The reason "millions of computers and networks worldwide" can be affected by it has two causes: (1) Lots of users who behave like idiots, and (2) Companies who market blatently insecure products to the masses to be deployed, unprotected, on the open Internet. Once again, we turn out attention to Redmond.
I have heard second hand that more recent versions of Microsoft email products do manage to do a better job of putting up barriers between users and the running of untrusted executables in emails. Such things as warning people before letting them run something that might do bad stuff, making users click through 5 confirmation dialogs and being required to change some settings before they can run a foreign file, etc. It's better than nothing. Yet somehow, the viruses keep spreading.
Therefore, we go back to number 1. Stupid users who, against many warnings from admins, repeated infections, and anything that would resemble common sense, continue to pollute the world by letting all manner of executable programs run with the equivilant of root privileges on their net-connected systems. I don't know what to do about that problem.
More education seems like a good idea, but even that sometimes seems futile. Having worked in the past at an Intenet security appliance company where the sales people would regularly bog down the network with such viruses (you'd think that if there were one place in the world where employees should know better, it would be at a place where network security products are sold), I wonder if there is really any hope.
One thing I do know: Spreading idiotic paranoia about people who user other more secure platforms is certainly not going to improve anything.
Whew! I haven't written a good rant like that in a while. That was fun. Now I'm all out of ranting energy. Time to get down and write a little code.
by Bitscape (2004-02-05 04:57)
After taking a few minutes to calm down, I wrote this far less inflammatory letter to the author of the article. An attempt at diplomacy...
---
Jack, I read your article about Linux and the MyDoom virus with interest.
Since I have used Linux exclusively on my home desktop for over half a decade, you could say I fall into the category of a "Linux fanatic." I wear the label with pride, although I don't go around evangalizing about it as much as I used to.
Back when I first discovered Linux, all was new and exciting, I wanted to tell the whole world what a great thing I had found, and share it with anybody who would listen. Gradually, I realized that those who would be interested would probably seek it out for themselves anyway, and others would only be put off by endless proclamations regarding how great Linux is. So I learned to keep my preference mostly to myself, and reduced my advocacy to merely answering questions from anyone who happened to inquire.
Now, for me, Linux is so normal that it's just become part of the background, like a piece of well worn furniture that reliably does its job without needing to be paid much attention. Today, reading your article brought the old fanatic out.
You make the claim that, "A number of years ago it was unsafe for any Windows user to hang around Macintosh fans; today, it seems no one is safe from the 'penguinistas,' as Linux fanatics are called, after the system's penguin emblem."
If by "unsafe", you mean that those who use other operating systems might try to convince you to switch, and in so doing behave in an annoying manner, then that might be a fair statement, although it is quite inflammatory. It is where you go from there that the article becomes blatently erroneous.
A few paragraphs down, you jump to an absurd speculation, blanketing an entire community with a very serious charge. "There is some comfort in suspecting that MyDoom was the creation of a large community of people, such as the open-source community that stands behind Linux."
One look at how the open source community operates should be enough to debunk such an idea. Open source software is just that. Created out in the open for all to see. Look at any of the projects hosted on sourceforge.net to get a sample of how things are done. Discussions are held in public forums or mailing lists; anybody with the skill and desire can contribute code to any of the projects, and any member of the public with Internet access can view not only the results, but the inner workings of it all.
If any appreciable portion of the "open-source community" had collaborated to create a virus, there would be ample evidence spread far and wide.
Is it possible that some person or very small group of people who happen to also be involved in open source software creation could have created such a virus? Of course. It's possible. Because of the fact that open source software is so open to the public, it's hard to define who would even be considered a "member". There is no official list.
But I guarantee you that none of the respected open source leaders would ever condone such methods, in public or in private. The overwhelming majority of the Linux-using population, like the general public, finds such acts of vandalism reprehensible, perhaps to an even greater degree because of our enthusiasm for technology.
It is true that the SCO Group is widely held in very low regard among Linux users. This is because they have persisted in making increasingly outrageous claims upon intellectual property in Linux and Unix without presenting any credible evidence to back up their claims; an accussation which you repeat without question in your article. For a more detailed background on the case, containing a historical summary of how the Unix and Linux code came about, a good resource can be found at: http://www.opensource.org/sco-vs-ibm.html
Now, I have one more bone to pick. You assert that "if a rogue programmer created MyDoom -- then we don't know what the motive is, and moreover we are left with the uncomfortable knowledge that millions of computers and networks worldwide can be at the mercy of one evil genius."
It does not take a "genius" to write an Outlook virus. Any semi-competent Visual Basic programmer in middle school could come up with such a thing. It's just a few lines of scripting. Countless variations have been popping up ever since the ILOVEYOU virus made headlines years ago. I would guess that the motivation is likely not much different than that of common vandals or graffiti sprayers.
If you find the idea that one person could cause so much damage disturbing, I suggest you turn your attention to the reasons we have an environment in which destructive viruses are spread so easily:
1) Computer users who behave, to put it bluntly, like idiots.
2) A company whose notoriously insecure software has fostered an environment in which it so easy for email viruses to propagate: Microsoft.
The fact that the most commonly used email program makes it a trivial exercise to accidentally run foreign executable code with no restraints on what it is allowed to do (something Unix/Linux users would refer to as "root permissions", or administrative access) goes beyond negligence. It should open Microsoft up to legal liability. Unfortunately, their lawyers have done a good job of filling license agreements with broad disclaimers, making it very difficult for anyone to sue for a problem that is obviously due to their lax security measures.
I understand (though this knowledge is second hand) that Microsoft has done a better job of making it less trivial to take such foolish actions in more recent releases. This is good, but the viruses still keep spreading.
What is needed is some serious education, and more discipline on the part of everyday computer users. If people could just read the contents of their email, without giving it leeway to take over their entire computers (either through badly designed email programs, or suicidal actions on their part), the worst of the virus problem would disappear overnight.
Not only did the Linux users not create the virus problem, but we are largely immune, except for having to receive copies of such viruses from Windows users. Even if someone tried to write a virus to effect Linux email readers, they would have a far more difficult time of it, because virtually none of the email programs that run under Linux will blindly open up any executable file that shows up in the inbox without prompting. That, and most Linux users by demographic tend to be more technically adept.
However, if you and others who use Windows want to continue in your ways, I will not stop you. But please, try to realize that spreading baseless paranoia about people who choose to use other platforms is not going to solve any of your problems.
On a more positive note, I do agree with the part about disallowing email with forged headers. Unfortunately, the best case scenario is that it's going to take a while to get everybody to adopt it. It would be a nice way to curb spam abuses, as well as viruses that spread by forging the sender's idenity.
----
Well, at least I was halfway diplomatic. Probably could have been better. Oh well.
According to a slashdot article I just saw, even the BBC is picking up this crazy meme, ridiculous as it is. So it's not limited to one or two misinformed columnists.
The temptation here, like with the overblown Howard Dean Iowa speech, is to suspect a media conspiracy. How else would such falsehoods and misperceptions propagate so far and wide? But, realistically, it probably again just amounts to a lot of reporters not knowing the whole story. Maybe with a little diplomacy, and less rashness than what I exhibited in my initial rambling here, we can get them to understand and report our side of the story.
(BTW, I did not send from my bitscape.org domain in the email, so he won't see my less composed initial reaction.)