lucky13

I hate this kind of article…

OS Smackdown: Linux vs. Mac OS X vs. Windows Vista vs. Windows XP:

Since the dawn of time — or, at least, the dawn of personal computers — the holy wars over desktop operating systems have raged, with each faction proclaiming the unrivaled superiority of its chosen OS and the vile loathsomeness of all others.

Let’s look at some of the un-truths told by the advocates.

First, the Linux fanboi writes:

Unlike Mac OS and Windows, Linux is free as air and open to development by folks who are motivated by the desire to make the technology better, rather than by corporate tech farms whose real interest is the bottom line.

Free as in air isn’t really free as in air. It may not cost you much to install Linux on your home computer, but installing it on 25 desktops in your business wouldn’t be free as in air. You’d have plenty of costs associated with the installation and with re-training users. Depending on the time frame you’d allow for reduced productivity, it could be cheaper to upgrade to Vista licenses and new hardware. I think this is one of the dumbest arguments for Linux because too many advocates don’t understand that learning curves cost companies time and money. And the last time I checked, the costs of hiring someone with a RHCE were comparable to bringing in a MCSE.

Let’s also forget that the chief submitters to the Linux kernel and to many of the libraries, utilities, and appications are employed by IBM, Novell, Red Hat, Sun, and many other companies whose interests are the bottom line. So I beg to differ, too, that profit is a bad thing.

If the world doesn’t want to use Microsoft software, Microsoft won’t stay in business. That makes them accountable to consumers and users, and I don’t think accountability is such a bad thing. If I have a problem with Windows, I go to my vendor and/or Microsoft. If I have a problem with Vector Linux and getting X set up or problems with python, who’s accountable? Linus won’t take my calls, but neither will Bill. Microsoft has websites and toll free help lines (depending on your level of support). Vector has a website and a forum. Maybe someone in an IRC channel can help me sort it out?

He continues,

Which is all very nice, but is it any good as a desktop operating system? You bet.

“Bet” is a gamble; most enterprise users won’t gamble — and neither will casual users who are more interested in doing things as quickly as possible. I’m not a casual user. I use Linux almost exclusively on desktop. Is it as good as Windows for that? No, I don’t think so. I have few problems using Linux/BSD but I can’t recommend it for most users. It’s not on the same level as Windows yet. And that’s not just my take, that includes many in the Linux/BSD/open source communities and companies like Novell and Red Hat (not to mention computer sellers, some of whom have found out firsthand that users won’t rush in to buy machines with Linux even if they save a few bucks from not needing a Windows license — what does that tell you?).

Let’s start with the hardware footprint: With the possible exception of BSD, Linux’s ’sister,’ Linux is the lightest thing you’ll ever install on your computer. While the minimum required hardware for Windows has been bloating, and Macs need more and more horsepower to run OS X, you can still dig out your old 486 and fire up Linux without problems.

That isn’t entirely true. Nor is it entirely desirable since most users expect more than what you can squeeze out of Linux on a 486. Most modern/updated Linux distros will no longer run on 486s. Indeed, the most popular distros targeted at newer users — who are NOT those who will start with Slackware or LFS — have requirements in line with other modern operating systems like Vista and OSX. Linux distros are prone to the same bloat-mentality prevailing anywhere else. That’s because developers and packagers target modern hardware, not the lowest possible denominator. So initial footprint is beside the point except for experienced users.

While there are some exceptions, the rule in the Linux world has matched that of Vista: the goal is to match system requirements to prevailing technology and expect that users will upgrade systems periodically. That’s why Ubuntu, PCLOS, and SuSe will not run on a 486 (not without lots of stripping and recompiling apps with minimal possible libraries for running in leaner systems). DSL with it’s 2.4 kernel and nearly Y2K-level software will run on console on a 486 so long as it has 16 MB of RAM. But so will a nearly Y2K-era version of Windows — same era software, same era hardware (apples to apples). So what’s the point…

Then the fanboi writes:

Linux is not only small, but it’s also stable. I have several Windows boxes at home, and it seems like whenever I blink, something has gotten screwed up in the registry or I have a Dynamic Link Library conflict.

This is ridiculous hyperbole and ironic. I have one hard drive with Windows NT workstation, circa 1996, that has run admirably with no DLL problems or registry conflicts. Then again, I kept it up to date with the service packs and ran it as it was designed to run: separate administrator account, anti-virus software, etc. I was also an early adopter of XP because it was based on the very stable NT. Again, no problems. Ever. The only virus I’ve ever had on any Microsoft computer was ’stoned’ in about 1990. I started using DOS in 1985. I’d used Apples (got my Apple II in 1979), a series of Commodores and Timex-Sinclairs, and one Mac before switching to PCs for the most part (since 1985, I’ve had a few Macs, one BeBox, and a couple SPARCs). I had more trouble with Apples and Macs than real PCs. I have one Mac remaining but I don’t use it; I also have several boxes of Mac parts.

I’ve also encountered plenty of issues with Linux. That includes buggy drivers and poorly coded scripts that have done things like load modules for filesystems I wasn’t using, cause kernel panics, etc. How the hell is a kernel panic any different from BSOD — a Windows fate I never experienced myself because I’ve kept my systems patched? And what about all the dependency hassles experienced even when running one of the more bloated distros like Ubuntu or PCLOS? How is that any different from the complaint about DLL conflicts?

Same answer to all questions: It isn’t any different. Linux users should stop relying on such stupid arguments because those aren’t significant differences. And with all due respect, average users will find tweaking registry entries in friendly GUIs — or restore points in XP — much easier solutions to sorting out Windows issues than going through series of Linux init scripts and various config files even if they are text files. Much less issues with peculiar libraries used by odd applications; at least Windows users have fairly standard DLLs upon which all developers build apps.

Every operating system and distributed computing environment (since Linux itself is merely a kernel — Linux isn’t Ubuntu, but Ubuntu uses the Linux kernel) is prone to some kind of breakage. The more complex something is, the more likely there are going to be some kinds of issues affecting users. Windows is complex. So are Linux distributions, especially ones focusing on desktop use. Linux distros may even be considered more complex from the standpoint that Windows is more standardized as noted above. This is certainly true when looking at how many different libraries binary packagers build their packages against and how many problems that can cause if the end user doesn’t want all kinds of stuff just to use one app from the package management system.

Linux doesn’t get points over Windows for this. They’re evenly matched. Or Windows gets an edge.

Unfortunately, the penguin-loving fanboi continued with something I’ve blogged about:

In the recent “Pwn 2 Own” hacker challenge, computers running Mac OS X and Windows Vista were cracked, but the Linux machine wasn’t. I won’t claim that Linux has no security or virus problems, but they tend to be right out in the open where you can see them if you look. At the moment, there are far fewer Linux viruses out in the wild than Windows viruses, and there are fairly bullet-proof ways to detect viruses under Linux using checksums on files.

Let’s get something straight. The Mac was pwned due to an exploit in Safari, which is Apple’s own code that comes with the computer; in fairness, the Mac was pwned after the rules were relaxed a little. The laptop with Vista wasn’t pwned until the last day when the rules were relaxed even further. The pwner took advantage of a Flash/Java/DEP vulnerability — using third party software — and not something inherently vulnerable due to Windows code. My understanding of that exploit, which has yet to be published, is that it’s cross-platform — and that it could affect a Linux system with Flash and Java. It wasn’t tried on either other platform in pwn2own because of the rules. Whether or not that specific exploit really works on Linux computers running Flash is beside the point anyway: Linux versions of Flash are every bit as dangerous in the wild.

At least Flash works as it’s supposed to in Windows. What was the point again? Oh yeah, Linux is supposedly better than Windows. Not.

One more thing about this as it relates to Vista. Vista’s security is heads and shoulders above XP’s and earlier versions’. Those who insist that Vista is on par with XP and earlier security simply haven’t investigated it for themselves and are engaging in sheer FUD. Among those giving Microsoft props for their commitment to making Vista more secure are those who’ve won pwn2own before. I’ll go even further and say that I think Vista is inherently safer than Linux; anyone running the same kernel version I am — or within several iterations either way — should have updated with a novmsplice patch or upgraded kernel, which is one of the things I would cite in my reasons why I would say Vista is safer. That’s Linux-specific, not related to PHP or samba or some other code thrown into distros. But when you get into all the other stuff thrown into a standard distro mix of utilities and libraries and applications, that’s where Vista shines. Go ahead and run apt-get –dist-upgrade every day and pray your system doesn’t break; I’ll stick with Microsoft’s automatic updates because their turn-around time on patching is faster and because they’re a centralized and accountable source of the updates, not relying on hundreds or thousands of package submitters whose intentions or abilities you may question.

Now let’s look at the Mac Kool-Aid drinker’s take on OSX:

Did I mention that Leopard is a certified Unix product, too? Mac OS X is the only operating systems that can run all mainstream Windows and “*nix”-based operating systems — and host “*nix” software natively — with few of the usual security risks.

Along with its famed user interface, one of the keys to the success of Mac OS X is the lack of malware, spyware and self-propagating viruses. We can debate the reasons — whether it’s the security inherent to the modern BSD underpinnings of Apple’s code or the “security by obscurity” theory — but Macs are not susceptible to the problems that have always plagued Windows PCs.

Security by obscurity isn’t a theory. Nor is it security. It’s obscurity. Mac’s security is third-rate. Not second-rate, third. Its Unix family lineage isn’t why it’s secure — that’s a non sequitur. Many of the most open vulnerabilities have occurred in or were developed for and on Unix-like operating systems. How many people still use telnet?

Many Mac users insist on running in single user mode. That’s no different from Windows 95 and earlier and the lack of permission levels that led to the prevailing attitude that there’s something inherently inferior about Windows. There isn’t. It doesn’t matter whether you run OSX, Linux, or Windows as root/administrator — it’s a bad, unsafe practice that can lead to serious trouble. I don’t even set computers up to use sudo except with password because I don’t care to allow anyone taking over my account to have full system privileges. Yet that’s how many operating systems are designed. Puppy Linux runs as root only. So does Dynebolic. Knoppix and DSL and other live CDs set up users with full system privileges via sudo. For live CDs, that’s fine. For anything else, I don’t care for it.

Apple does nothing to dissuade users from it. Single user with full system privileges. Coffee shop hot spot. Easy target.

OSX had more severe advisories than Vista and XP combined last year. Local and remote. Third party and first party.

Stop drinking the damn Kool-Aid.

Now let’s look at the one almost everyone else loves to hate. I’m skipping the XP guy because I don’t care for the Luddite-like hysteria by those who insist Microsoft extend XP’s life. I wasn’t happy when the NT 4.x support stopped, but that’s the way business and life goes. I’m no happier that Linux 2.4 development is waning because users are expected to migrate to newer hardware. I’m in the same boat that way, but I’m not crying. I’m using Linux 2.6 and reducing its resource demands to fit my hardware. XP users can do the same thing with Vista, which is not a one-size-fits-all OS as some portray it. It’s very scalable, just like other modern operating systems, and can be tweaked to perform well on older computers within reason. You just won’t enjoy all the graphical BS that has greater demands.

The Vista fanboi candidly writes,

Now, it’s true that for the moment, Windows XP is superior to Vista when it comes to software compatibility. But that won’t last long. The best and newest software will be built for Vista, not XP. So if you want to look to the future, not the past, Vista is the way to go.

This is true. Again let me reminisce about my NT days. I was running an OS that couldn’t run a lot of the stuff my friends using 16-bit Windows (3.1, 95/98 ) were running. I didn’t have the same level of plug and play support. Drivers were written for the other versions, not NT. The only USB drivers for NT I’m aware of were from third-party software companies and Dell (which was developed in-house for NT and worked surprisingly well). In short, most consumer software wasn’t being written for NT and most devices weren’t including driver support for NT. Everything was for 95/98. Then came WinME, a half-hearted attempt to move to NT. Then came XP. There was no turning back. Some of my enterprise software would run on XP, but many companies made upgrades available for those migrating to XP — good business decision because the world was going to turn to XP and away from NT and 95/98.

The same thing is going to happen for Vista. No matter how much FUD is spread about it, it’s not the future. It’s the present. The footdraggers aren’t leading the way. They’re fighting a losing battle.

The Vista guy continues,

As for Linux, if you’re a fan, feel free to fly your uber-geek badge every time you boot up — but don’t expect to run your company’s enterprise software, much less mainstream software and games. And do expect to become very familiar with the confusing vagaries of the specific version of Linux you’ve installed.

This is one of the things about Linux I think gets lost among its most ardent advocates. The world isn’t looking for myriad choices, it’s looking to get stuff done. The distros that target enterprise users understand this very well. You can prattle for days about window managers and eye candy, but that doesn’t lead to adoption in the enterprise. Enterprise is won over by commonalities. Enterprise is lost when the applications it needs are either unavailable or — the irony here is overwhelming — has peculiar library demands. Yes, that nasty issue about libraries/DLLs applies to Linux here.

Microsoft is where they are because they played their cards right when it came to matching their software to the most widely available hardware. Apple was too busy playing with goofy interfaces and buses to be a serious player in the enterprise when it mattered most. While Apple was busy creating its own alternate universe, Microsoft was trying to cater to the real, existing one. That’s why Microsoft runs over 90% of the world’s desktops and has serious marketshare in servers as well.

I’m not anti-any of these platforms. Each can do what some users need. None is perfect for every possible task. Each can be as safe as the other if the user is attentive to keeping his system secure. The user, as I’ve written so many times, is the weakest link in security.

The Mac user noted how easy it is for him to make movies. The Windows user noted how everything, especially enterprise-grade software, is written for Windows. The Linux user made some valid points about the cost of his software (though, to be fair, it’s not exactly free to retrain employees to make equivalent use of open source software if they’re already productive on closed source software). All three also engage in some level of blindness about the others, but two of them stand out: the Mac user has a gullible feeling of invincibility and the Linux user’s smugness about, well, everything and ignorance when it comes to comparing and contrasting Windows and Linux.

Maybe the one lesson from this kind of comparison-article is that we don’t need more of them from advocates. Maybe we need more honesty and fair comparisons from people without axes to grind.

Mac cultists are pissed that some interlopers dare move into their sphere. Meanwhile, Apple has been strangely silent. This is the same company that reflexively sends cease and desist orders to people who post steps for installing their OS on non-Apple hardware. Or mentioning that it’s even possible.

Mac Clone Maker Psystar Vows To Challenge Apple EULA - Apple Unvarnished - InformationWeek:

Psystar’s OpenMac clone is priced at about $399 — less than one-fifth of what a similar, Apple-branded system sells for. It also represents a direct violation of Apple’s end-user license agreement, which forbids third-party installations of Leopard.

But Psystar said Monday that the company believes Apple’s terms violate U.S. monopoly laws. “What if Microsoft said you could only install Windows on Dell computers?” said a Psystar employee.

The employee, who would only identify himself as Robert, said Apple grossly overcharges for the hardware on which its operating systems, including Leopard, come preinstalled. “They’re charging an 80% markup on hardware,” Robert said in a brief phone interview.

I agree that Apple charges a premium price for mediocre hardware enshrined in aesthetically above-average casing running an operating system long on flash and short on security. If Mac users want to overpay for that, more power to them. As far as the restrictive OSX EULA, who knows. My own preference is to not do business with someone who requires me to purchase their hardware to use their OS.

The Open Computer can be seen here. Available in black or white. Base price includes Core 2 Duo running 2.2 mhz, 2 GB DDR RAM, 250 MB SATA hard drive, no operating system. They’ll preinstall OSX Leopard for $155. Lawyer not included.

Then there are the skeptics. Fair questions. What’s up with Psystar? Has anyone done business with them before?

Back to the markup issue and thinking of the iPhone rebates Apple authorized when they dropped their prices and the early adopters whined. I wonder how many Mac owners would expect a rebate if Apple’s restrictions were lifted and they had to lower their prices to what cloners would offer. I remember what happened during the brief period when Apple licensed their OS: more savvy users embraced clones that beat Apple to the punch with more standard (e.g., IDE and PCI buses, VGA, etc.) interfaces. It would certainly benefit users to let them choose their own hardware (Intel x86 architecture is the same whether it’s running Windows or OSX or anything else, there’s no special magic); it would cripple Apple.

I haven’t had much time to check out different sites’ April Fools gags yet, but the two I’ve found have been kind of amusing.

The first I encountered was gmail’s new “custom time” feature; unfortunately, this one was broken in text browser (lynx) when I first looked (tip of the day if you think gmail loads too slowly in your browser: enable imap and use your email client or use a text browser like elinks or lynx). This feature means never having to offer belated wishes for a happy birthday, anniversary, or anything else. Could come in really handy on deadline projects, too.

The second was before I fired up Firefox so I’m going to have to go watch Shawn Powers’ announcement that Linux Journal is going to include a lot more BeOS coverage and the Pentium Pro technology that makes BeOS shine.

I just looked at the LJ site in Firefox and the graphics are worth the visit today.

The “apple sucks” category is because Apple chose NeXT over BeOS for what became OSX. I’m not saying BeOS was inherently better, but rather Apple has given Unix a bad name.

Apple’s Leopard lasts ‘30 seconds’ in hack contest:

“It might have taken eight minutes to sit down and open the computer but, when the competition started, 30 seconds later, it was over,” said Miller….Competitors in the hacking race were allowed to choose either a Sony laptop running Ubuntu 7.10, a Fujitsu laptop running Vista Ultimate SP1 or a MacBook Air running OS X 10.5.2.

“We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard,” Miller said.

Miller further elaborated, “I use a MacBook all the time and that’s what I used in the contest to attack the MacBook Air. I like Macs. That’s the reason I went for it; it’s in my best interest for them to be as secure as possible.”

Meanwhile, the Fujitsu with Vista (and Vista’s SP1) remained unscathed until late in the day yesterday when Adobe Flash was installed. Shane Macauly, who with the collaboration of Dino Dai Zovi pwned the Mac in last year’s pwn2own, used a new Flash 0day exploit to claim the Fujitsu and $5000.

Readers of my blog know I’m a proponent of flashblock and other extensions for Firefox (and Seamonkey) that help users whitelist trusted sites. Flash has proven susceptible to malevolence too many times to be allowed to run promiscuously, if at all. FWIW, I only use flash temporarily — install it, use it, remove it; so I use it only as needed — for dealing with youtube content.

A rocky Windows trek for Apple’s Safari browser

The first problem for Safari 3.1, Apple’s new Web browser for Windows, was how it arrived on people’s computers. Last week millions who were only marginally connected to Apple — because they’d downloaded iTunes — were prompted to “update” to Safari, even though they’d never expressed an interest in the thing.

The article goes on to compare it to “Microsoftian bundling” [sic], notes the problems (since “fixed”) with Apple’s EULA for this browser they’re sneaking onto people’s computers, and mentions the chronic issues with crashes and security advisories. The concluding sentence says it all: “But this was supposed to be the best browser in the world.”

Not if it comes from Apple.

Windows users with iTunes beware! Apple has opted you in to install their vulnerable Safari browser on your computer with iTunes updates. You must click the Safari update box off before updating iTunes if you don’t want to install Safari.

PWN to OWN Day Two: First Winner Emerges!:

They were able to exploit a brand new 0day vulnerability in Apple’s Safari web browser. Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service. The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue.

So if you update iTunes and install Safari, you’re getting this exploitable code on your computer.

I may have more information about the nature of the exploit tomorrow.

EDIT/UPDATES:

1. The exploit Charlie Miller used to win the coveted Macbook Err involved a telnet exploit via privilege escalation from a malformed/malicious link. Reportedly. We’ll find out when Apple gets around to fixing it. Which brings me to another point…
2. Before anyone dismisses my objections to Apple’s requirement that users opt-out of installing Safari when updating iTunes, look at Secunia’s new advisory. Note that it’s highly critical. Safari is buggy and vulnerable in OSX. It’s even worse in Windows.

Mac OS X first to fall:

In the first attempted attack in the PWN2OWN contest, a security analyst breached the defenses of Apple’s Mac OS X using a bug in the Safari browser and won $10,000 as well as the computer that he compromised.

Charlie Miller, principal analyst with Independent Security Evaluators and the researcher who found some significant flaws in Apple’s iPhone last summer, compromised the Apple MacBook Air in less than a minute. While he refrained from describing the flaw, SecurityFocus learned that the issue affected the Safari browser. Contest officials said that the MacBook Air was running the latest version of Mac OS X, version 10.5.2 or “Leopard.”

Told ya the Mac would get pwned first. That Fujitsu with Vista should be just as easy  to pwn if it has Safari for Windows. Not because Windows sucks (sorry, haters, but Microsoft deserves big props for taking security seriously) but because Apple does and Safari is not Microsoft code.

Why did Apple try to push its browser onto Windows PCs? | Technology | The Guardian:

It turns out that not only would having iTunes (which demands QuickTime) lead to your being “offered” a new browser for your machine, but Safari would bring along with it another piece of Apple fun, called “Bonjour for Windows” - an Apple-developed method of auto-discovering services on the local network. (Adding iTunes also brings in its wake a slew of iPod services, even if you haven’t got an iPod.)

One of the charges leveled against John Lilly by the Mac fanbois is that he’s afraid of losing money to Apple. The Guardian has it right: turn it back around on Apple and their quest for money.

“But it’s still quite a leap from updating existing software to installing entirely new stuff.”

That’s the real issue here. People take Microsoft to task for their verification and update systems. Why are more people not calling Steve Jobs out for being the scumbag he is or ranting against Apple for installing new, entirely different software when users update one particular piece of software?

Apple’s Safari browser likened to malware:

Mozilla chief executive John Lilly has lambasted Apple for its use of iTunes to offer the Safari web browser to Windows users, saying the technique “borders on malware distribution practices” and undermines the security of the Internet.”What Apple is doing now with their Apple Software Update on Windows is wrong,” Lilly wrote on his personal blog. “It undermines the trust relationship great companies have with their customers, and that’s bad - not just for Apple, but for the security of the whole web.”

The problem is Apple now includes Safari as a default download for Apple Software Update. ASU is a bloated piece of shit that runs 24/7 if you let it. You get it when you install QuickTime or iTunes on a Windows PC. When Apple releases these super-sized patch sets for their vulnerable software — and make no mistake, Apple’s code is third-rate and very insecure — it now includes updates for software many users either don’t have or don’t care to have.

Rather than installing iTunes when you get an iPod, consider any of the many alternatives. Many of them are either free or inexpensive, nearly all of them are much less resource-intensive and probably less buggy as a result. WinAmp can be used to sync/manage an iPod.

Edit: Lilly’s blog is here. He’s since defended himself against attacks by the Mac fanbois. The most salient points he made, though, were these:

Apple has made it incredibly easy — the default, even — for users to install ride along software that they didn’t ask for, and maybe didn’t want. This is wrong, and borders on malware distribution practices.

It’s wrong because it undermines the trust that we’re all trying to build with users. Because it means that an update isn’t just an update, but is maybe something more. Because it ultimately undermines the safety of users on the web by eroding that relationship. It’s a bad practice and should stop.

I don’t mind being presented opt-in choices. I resent having to opt-out of things like this. As buggy as Safari for Windows has proven to be thus far, and given Apple’s subtleties when it comes to threat severities, they should be ashamed for making this kind of choice for users and potentially installing their browser on computers unless users actually select to do so instead of making that choice for less attentive and less diligent users.

On the heels of a recent attempt to plug the leaky sieve known as OSX, Apple has released another update for almost 90 vulnerabilities. Half affect open source packages, the rest are native OSX bugs.

Apple issues mega-monster security update:

Apple Inc. Tuesday issued a record-breaking security update that patched nearly 90 vulnerabilities in both its own code and the third-party applications it bundles with its Tiger and Leopard operating systems….

Unlike other operating system vendors, Apple doesn’t rate the vulnerabilities it patches. A large number of the fixes Tuesday, however, were accompanied by Apple phrasing — “arbitrary code execution” — that signals the bug could be used by attackers to infect a Mac with malicious code. In others’ ranking systems, vulnerabilities like that are typically classified as “critical” threats.

OSX is a critical threat. If you own a Mac, install Linux or even Vista. It’s safer.