Online alternatives to XP after April
 

I'm not sure if this deserves a new thread or not, but it almost seems like a topic in itself.

On another thread there have been favourable reports about Linux - specifically Linux Mint. At the suggestion of llondel (there is a PM for you) and others, I've had a look at it from boot CD option. It has possibilities for 'safe' internet work - perhaps .....

One nagging question remains (well several actually but one to start with). Wherein does the perceived "safety" of Linux (or - dare I suggest it - a Mac) lie?

Is it simply that they are used in relatively small numbers across the globe, and therefore the propagation of an attack will most likely starve for targets and unwitting victims?

If so, is it possible that if the number of users grows to a "worthwhile" critical mass, that it could be just as vulnerable to online cyber attack - with all of the graphic horror we are promised if we stay with XP ?

Thoughts appreciated.....

To some extent you are correct that the smaller user base of Linux and Mac OS makes them less attractive targets for attackers.

It's my belief that the Linux user base is a good deal more technically (and thus security) aware than the average PC user, so it is hard to see an increase in Linux use equating to greater opportunities for attackers.

I wouldn't say the same for Mac users, however - that's not having a go at Apple, just that the Apple ethos has always been about using their products, not having to understand them.

Also, I believe that Linux is inherently a more secure architecture than Windows.

Here's a useful article on the subject: Overview of Linux Kernel Security Features | Linux.com

But it's all too easy to be complacent.

SD

There's a few people on this thread who are far more qualified to answer than me, but.

I use exclusivly Linux, at home and for research, basic numerical modeling type stuff on clusters. It's the fundamental design of the system, (based around a Unix model I think) that makes it safe. That said, there are things you can do to make it unsafe. There are known risks out there for it.

As for the small target scenario, yes that is most likely a factor to a point. There's nothing like having all the attention and effort focused on one system type to be able to bring out any possible vulnerabilities.

Compared to XP, where most people tended to set up their account as an administrator, a Unix-like system (which includes both Linux and Mac) is normally configured with a fairly rigid partition between the root account and a user account, so a malicious payload wouldn't be able to modify any critical system files. It might compromise the user account if the user had a few executable files in a local directory, but not the system. There are exploits that can give an escalation to root privilege but they're not common and usually require local access to the machine rather than a dodgy email.

Part of the perceived safety is simply because there are a lot less bits of malware targeted at the less popular operating systems. There's also the fact that much of the Linux ecosystem is available as source code, and has plenty of peer review which makes it harder to smuggle something in.

Windows is vulnerable because it tends to try to make things easy for the user, automatically performing tasks to save the user from having to do them. Most of these have been subverted at some point, where the user thinks one thing is happening when in actual fact a malicious program has been started which may eventually get around to doing what the user expects to see, but will first set itself up to do nasty things. Windows 7 is a big improvement on XP, because Microsoft got its ar*e kicked over poor security and got its act more together.

Not quite my dear Saab... remember, OS X is just the pretty GUI... BSD is behind it ! :cool:

First, open vs closed source has absolutely nothing to do with it. Its all in the security model....

The overall perceived safety of Mac and Linux can be assumed to be reasonably similar because Linux distributions are based on the Linux kernel, and Mac OS X is based on the BSD kernel and the open source Darwin project (only saying open source here because many people don't realise just quite how open source OS X is !).

Both Linux and BSD based operating systems have a great deal of inherent security and stability going for them.

The reasons for this are many fold, Linux and BSD are well established projects that have been going for a number of years and have always had a degree of security focus (BSD more so than Linux, which is more feature driven).

Apple have actually brought a number of security enhancements to BSD and also present within Darwin. Some indirect, such as their Objective-C programming language helping to enforce best-practices in safe coding down to various OS level enhancements. Apple have also always been heavily security conscious, unlike Microsoft which only really took note and understood change was needed after the Windows 2000 debacle.

So if we wanted to make things simple, we'd say its (Linux+Mac) vs Windows ..... rather than Linux vs Mac vs Windows, because in reality Mac really isn't any less secure than Linux .... in some areas Mac/Linux may well be more secure than Linux/Mac , in other areas Mac/Linux may well be less secure than Linux/Mac... but as it's all Linux/BSD based, its changing all the time on both sides. Hence you should be really comparing "Linux/BSD kernel based operating systems" vs Windows and don't get yourself lost in the details which are likely to be obsolete by time time you've figured it out.

Microsoft obviously have a larger customer base which makes them an attractive target, but I don't think that's necessarily the only reason for the larger number of exploits.... I think it also comes down to the fact that Microsoft have traditionally been an easier target to exploit (single-user model, monolithic design, large reliance on RPC calls etc. etc.).

To give them their due, in the post-XP era (i.e Vista onwards), Microsoft have made some inroads into changing their fundamental security model. Its a long task ahead of them, they're a corporate behemoth and its a gigantic codebase, its going to take time. But as others have pointed out Windows 7 onwards already does carry many serious security benefits that you won't find in XP or below.

In the end though, if the end-user is a moron and clicks and opens anything in sight, fiddles around with settings without knowing what they do, etc etc. then it really doesn't matter what operating system you give them. :cool:

Mixture, I was speaking of the users, not the OS!

I'm well aware that OSX is a UNIX derivative.

SD

Indeed OS security is only as good as the user's understanding. Most users just want it "on" so they can get on with things and often don't understand the consequence of bypassing a security measure to get a task done. Generally I have found OSX to be the best at managing its own security for the unaware user, Unix/Linux requires a deeper understanding of security for the unaware user and often a visit to the command line and vi editor. Windows is getting better with some impressive improvements of late but these aren't in the mainstream conscience yet.

You could argue that all three systems above provide good enough security with the weakest link being the end user. The common x86 architecture has allowed malicious payloads to be carried in obscure software, or even injected during a download. The diligent users would only choose reputable software vendors and always verify their software (md5, certs, etc). For everyone else it's a game of chance regardless of the OS used.

Most Unix/Linux security failings that I have seen have been the fault of poorly written third party software like CMS tools (WordPress is known as Hacking101 in *nix land), and there used to be some beauties in the olden days like:
Running mknod on tmpfs in Solaris would cause a kernel panic
Setting up a cron job to unlock a compromised account was a common hack
My favourite #include "/dev/tty" even won the code obfuscation competition.

Unix/Linux wont be the panacea for solving all your security issues unless you have sound technical knowledge to deal with them. If you don't have the time or inclination to learn it all then look at OSX first then Windows.

Indeed, I wish more developers would provide hashes & certs.


Good summary.

You have to remember where Linux/Unix came from, primarily intended for use on servers and all taken care of by one large community of coders. You have to remember that everything is a separate software package coded by different groups of individuals, all just handily pre-compiled and distributed for you in one friendly package. The user interface is just another package, perhaps with a few custom "themes" to match the Linux distribution colours.

Whilst OS X does have open source behind it, you have to remember a lot of that code came from Apple are ploughing R&D money into developing and maintaining it with whole armies of coders.

Hence the more polished look and feel of OSX, as well as the additional behind the scenes technical enhancements. Apple have integrated it all very well indeed.

Of course, OS X provides you easy access to the command line too. So you get the best of both worlds essentially, which you know will never be there because of the way Linux distros work.

I've tried the latest Ubuntu desktop.... OS X is way better for the very reasons given above about lack of integration which you know will never be there because of the way Linux distros work.

I just had to drop this in here: What if Operating Systems Were Airlines?

SD

Excellent summary from mixture

:ok:

While I am not a Windows fan (I use Macs, several flavours of Linux, BSD and Solaris), it is worth pointing out that Windows CAN be locked down pretty tightly by means of proper security policies, ACLs, firewall rules, VPNs and audits.

The problem is that out-of-the-box, Windows is very loose (to prevent user grumbles) and most people leave it that way.

Mac

:bored:

CESG has also come out fairly positively about Linux - specifically the Ubuntu distribution.

See: UK's security branch says Ubuntu most secure end-user OS | ZDNet

We'll never hear the end of it from the Ubuntu marketing bandwagon ! :ugh:

I hate stupid headlines like that.

If you look at the charts, OS X didn't exactly lag far behind Ubuntu. The only difference was very minor, and was in the Device Update Policy section ("orange" instead of "green"... their marking needs more granularity !!) , so not really of much importance to home-users and I'd need to read the detail to see what the exact detail was as far as businesses was concerned.

Furthermore, Device Update Policy is a management evaluation criteria, rather than security evaluation criteria.

If anything, all that document does is confirm my earlier point made that Mac was as secure as Linux for all intensive purposes. But then I already knew I was right anyway ! :E



(Edit to add: I've dug up the detail, their marking down of OS X from Green to Orange under Device Update Policy was down to "The enterprise cannot force the user to update their device or software." ..... Apple have been steadily improving their Server software, so I suspect policy enhancements were already in the works long before this publication)

It's also worth pointing out that for some jobs, doing so makes things a right pain in the ar:mad:. If it's someone in an office using a defined set of applications then yes, Windows can be good, in that it's easy to manage centrally and roll out upgrades while preventing users from installing their own stuff. I worked at one place that by default had everything locked down like that, but the development team were forever asking IT to allow this, that and the other because we needed all sorts of things to do our job. Eventually they granted admin rights on the machines and told us to tell them what we'd installed and that we were responsible for the consequences of anything bad.

Quote:

---

"The enterprise cannot force the user to update their device or software." .....

---

Which is one of the biggest irritants of any of these auto-update schemes that require a reboot to complete. You leave the machine on overnight logging data, only to return in the morning to discover that it rebooted at midnight and you didn't get most of the data you wanted. I'm happy for the machine to tell me it's got updates to install but the job gets done when I'm ready for it.

The other irritating thing with Windows is when you do need a reboot in the middle of the day and it declares that it's got 60 updates to install before it will reboot and takes three hours to do it.

Hehe ...

Or when someone thinks "I'll just quickly shutdown my Windows laptop and dash off" .... only to encounter the "installing update 1 of 1000000" screen !

(Yes I know you can shutdown without it if you know where to look, but the default option is to install updates)

Or you just get a 1000 clicks in the middle of nowhere, log on with a sattellite link. and your screwed. Or your near the very end of your monthly allowance and ..... Or Or Or. F@$$ windows.

Linux - thoughts and comments
 

A few thoughts.

1) Security
Systems that are inherently designed to restrict access are more secure than open systems such as Windows XP. Programs that are shared across systems such as Java are continue to be a major source of problems for all of us.

2) Portability of Data
If a software package ceases to be supported or develops it in a direction a user does not like (for example the classic word processing program Wordperfect is no longer available) or locks you into their hardware ecosystem as a user (Apple) you have a major problem. With Open Source this has not been an issue as the original software remains available and it can be updated (forked) by anyone who does not like the new version. Linux Mint is a fork of Ubuntu when a lot of users did not like the latest Ubuntu interface.

3) Hardware drivers
Linux drivers are available as free downloads from most, but not all, equipment manufacturers & from independent groups. Support for older equipment tends to be better in Linux than Windows as the Vendors only tend provide software support for current hardware and operating system

4) Licencing
For me by far and away the most important issue. I read the full MS licence when I purchased DOS version 2 many years ago and even back then you had no rights at all. You give the supplier hard earned cash and they permit you to run their software only how, where and when they allow, but entirely at your risk. Open Source Software allows you to do anything you want with the software except that you must allow anyone else to do the same to any software you develop that includes it.

5) Updates
Windows is a pain when updating, particularly when compared with Linux. I receive Linux updates every day or two which are installed entirely in the background. Very, very, occasionally there is an update to the Kernel of the system, which requires a reboot which I leave until I next shut the system down. It takes no additional time to install the Kernel update over a normal shut down and restart, so no time wasted while it shuts down or restarts :)

6) Media Support
DVD's play in Linux, but as there are issues relating to the licence it is not legal in all countries. I only play legal DVD's I own to ensure that I keep within the spirit of the Law, but it does allow you to copy them onto your system which is illegal in most places.

7) Future
Most Linux software is written by people employed by major companies to write Linux software - IBM, HP, Microsoft (!) etc. It already runs 99.9% of the world's super computers and through its Android derivative is the most used single consumer operating system in the world. Much, if not most, of the internet companies use it so its going to be around for a long time

I can strongly recommend Linux, unless you have some very specific software, eg Games playing, that can only be run on a particular operating system.

Cheers from a SLF

Well Sh_ee_it!

Never thought there would be a time when I was defending Windows...

First of all: Windows Update:

You can set Windows Update to download updates but let you choose whether to install them.

You can also set Windows Update to install updates on whatever day of the week you choose and at whatever time you choose (say 0300 hrs)

Windows Update releases once a month (Patch Tuesday - the second Tuesday of each month)

With an up-to-date system there are rarely more than 3-7 updates which take 10-15 minutes to install.

So bull!!!! to that.

As for locking down Windows being a PITA for some users, bull!!!! to that too unless you happen to be a dev in which case you might reasonably be expected to have Admin rights over your own machine.

At the risk of being boring, Sudo for Windows allows you excellent control for elevation of user privilege and Windows itself can be very easily tuned to be minimally intrusive for specialist users without giving them Admin rights.

I'm set up to run as a special user, with a few limited rights that the ordinary user would not have. Maybe because I'm used to Unix, but having to su to do critical things is just normal for me - just as it should be for everyone.

Od course I can login as root/Admin if I really need to, but most of the time you just plain don't - as any Unix person would tell you.

So bull!!!! to that too.

Windows can be well secured with minimal initial effort - so don't whine if you run as Admin the whole time and end up getting pwned!

Mac

:*

Sometimes I think devs should not have admin rights over their machines, that way we might finally start seeing certain software that runs correctly without requiring admin rights. :E

"..that way we might finally start seeing certain software that runs correctly without requiring admin rights.."

Amen!

But most modern user software (surprising how much, apart from system orientated utilities) runs just fine on a standard user account in Win7 and above.

People just have to wean themselves off doing their daily farting around as quasi-root in Windows - it is an invitation to malware.

No *nix user would dream of doing so.

Mac

I think this is the booby trap alluded to above when you innocently try to reboot or shut down the system. If you're not paying attention, you miss the correct option of "do it right now" and end up with the default option of "once I've installed this lot".

Win7 is a lot better than XP regarding admin privilege and general locking down of the default security.

Yes, that too. I admit to being caught once, in that I was asked to write a program that stored a bunch of stuff in the registry (so the user couldn't easily manipulate it). This was fine on XP but then MS seem to have properly restricted write access to the registry and it didn't work on Win7. Linux never had the concept of a registry, it's all done with random text files so it's easy to look for a per-user config. That seems to be the new MS model now, too.

I remember back in the day thinking that the MS devs should all have been given weedy machines to work with because it would have given them more incentive to make the code efficient and run at a decent speed.

Hahah, neither did I but they are improving their game security wise otherwise they will rapidly become history.

BTW, anyone seen a SCOM/SCCM implementation that actually works in practical sense?

They shouldn't period. Most devs know or care sweet F.A. about maintaining a managed environment and a significant percentage of them are short sighted.

But can you get windows to not download updates automatically. Frankly installing once its already nuked the bandwidth you may have can be less painful.

"But can you get windows to not download updates automatically?"

Yes, easily.

:hmm:

Thanks everyone for your very helpful insights into this aspect of the various operating systems. Much appreciated. :ok:

FOR

You end up with a standoff where the dev says he needs something installed on his machine in order to do his job and the IT department refusing to allow it, or taking a couple of days to get around to it. Especially as "need" can vary from "yes, absolutely" to "my life would be much easier with this utility". One could argue that for best productivity they should all be allowed if known not to be malware because productive devs are better than unproductive ones.

Not really, proper tooling is done at the initial phase of a project by experienced people and usually involves senior devs. Costs are factored and scopes are set. If anything needs to be changed along the way then there is a formal process for that too.

The days of the BOFH are long gone.

I have yet to work anywhere that this happens. Usually it's a case of "here's a standard machine, go install the stuff you need, install images are stored here". Obviously there's no concept of a lock-down involved in these cases.

The one place I did work with a proper lockdown, I couldn't fault the process, it's just that the sysadmin chose defaults for everything that were not what I'd choose and it was highly irritating. A perfectly valid set-up, just wrong for me. Even there, the devs ended up with admin rights to our own machines.


HP has re-introduced Windows 7 as an option on a lot of their PCs "due to customer demand".

Do yourself a favour and move to Linux (Olivia 15 Mint).

Spent the last week installing Win 8/8.1. I TRULY understand why Ballmer took the hint. STAY AWAY from windows for now. As a coder, I can only say it is an abomination.

25 years and ms screws you.

I am an MS scholar, but they truly dropped the ball with Vista and never recovered. Emotion plays no part here. Win 8 is a bloated, dishonest piece of software, PERIOD.

I rest my case.

Dell never abandoned Win 7 on their "Business" site.

If I understand the latest announcements, security patches for XP will now continue till July 2015. Hope thats the case as I dont want to upgrade till the last moment! Eg:

Microsoft keeps chipping away at Windows XP's end-of-life deadline | Microsoft windows - InfoWorld

You lot really are clutching at straws. Why on Earth would MS do that? Of what possible benefit would it be to them?

The truth is it's only support for MSE (Microsoft Security Essentials), their anti-virus product, and MSRT (Malicious Software Removal Tool) that has been extended. Nothing more.

I particularly liked this "I still think it's beholden on Microsoft to provide some sort of inexpensive update subscription for all XP users". C'mon guys, you've had how many years notice that this was coming? Five!!!

It is the last moment so get on with it! :ugh:

ChrisJ800,

That has already been covered on this thread http://www.pprune.org/computer-inter...upport-xp.html


In summary. You are mistaken. Just stop clutching at straws and get on with it.

Another vote for Linux Mint.

I spent some of the weekend playing around with a very old laptop (Compaq N610c, 1.8GHz CPU, 1 GB RAM, 40GB HDD) and decided to try installing Linux Mint 16 with the MATE desktop.

It was altogether a very positive experience - no installation problems at all, it even found and configured an equally old D-Link cardbus wifi adapter (wireless card support had been a major stumbling block in the past). The only issue I had was that the laptop doesn't support boot from USB, so I had to burn the ISO to a DVD and the installation was a lot slower off DVD.

For a Windows user I found the MATE desktop very easy to navigate.

OK, it's not blisteringly quick, but for a 12 year old laptop it's not at all bad. The last time I had used it was 2008, and XP & office XP performance seemed acceptable - it's a bit slower, but not much, with libre office.

I intend to use it as a learning tool, to get under the bonnet of Linux, so performance isn't that important.

I downloaded and installed a few packages - very slick.

A complete OS and application suite for zero cost, very easy to install, configure and use - what's not to like?

Impressed. :ok:

SD

Saab:

Also keep in mind that the Linux Mint user community can be very helpful.

Linux Mint Community

If you like the Mate desktop then you might like the Cinnamon alternative even more so. You can even install Cinnamon afterwards and choose between the two at startup!

While I've asked here about Win 7 Pro, that's for a commercial office which needs MS compatibility.... For my own use, I mostly switched to Linux Mint (Mate) a few months ago. Mint is fine for me, but I'm not sure that Little Old Ladies [LOL] could adapt.

I've put a Mint machine in a public-use location mostly used by such LOLs. The desktop has Icons for Firefox browser, four of their browser-based email programs, three Solitaire programs (including Spider), Google Earth, Picasa, LibreOffice writer and spreadsheet, etc. I've received zero reaction and there are indications that it has at least been tried.

I'm sticking with Mint 13 LTS (Long Term Support) until the next LTS version (17?) comes out. I find that even Mint 16 doesn't have an "approved" driver for a very recent Brother laser printer.

Please don't bite my head off, but the Office which will get the Win 7 Pro is going to keep an off-line XP for some of its vital software that doesn't have a newer version and is far too hard to rewrite (people have tried and failed). As an alternative, I have the ancient software running under DOSbox on Win 7 and Linux Mint, but ordinary DOSbox can't directly write to a printer.

seacue:

DOSbox might not be able to directly address a printer but if you ran Win 7, or any other version of Windows for that matter, in VirtualBox hosted by Linux Mint a printer can indeed be directly addressed. I do it all the time.

Well, my dear old Dad at 79 is coping fine with Linux and he's quite the computerphobe (he curls into a ball at the drop of a hat with new things). His needs are fairly basic - word processing, spreadsheet, e-mail, browsing and a few games. I ran him through things over several days and he hasn't looked back at WinXP once.

I did ease the way by making sure over the last few years that he was using programs that had Linux versions (OpenOffice, Firefox, Thunderbird) so the transition wasn't complicated by learning a new program as well.

He needs a bit of assistance for time to time or forgets how to do things, but then he did that with Windows too and it's not really any more frequent.

Actually, whilst you'll not find anyone more pro Windows than me, my up-to-date Win7 laptop required 20 updates last night and it took 45 minutes to install them, due to two of the updates being mahoosive ones.

My opinion as a software dev that uses osx, win and linux. There are all the same these days.

Most people use and internet browser and email program, and all OS's will do that just fine.

The nitpicking is just bull!!!!, its all personal preference.

You simply must meet some of the people I work with sometime :uhoh: