A Man and his Penguin

You don't get down off an elephant, you get down off a duck!

The same joke applies whenever somebody asks "How do you install anti-virus in Linux?". You don't install anti-virus in Linux, you install anti-virus in Windows.

Lately, when you try to tell people that they don't need to install anti-virus in Linux, they say "People tell me that, but I want it anyway".

So, let me explain why you don't need anti-virus in Linux, and to do this we have to start with an explanation of what a virus is.

A virus is a malicious computer program, written to perform some sort of criminal activity with your computer. This can include deleting your data, but these days viruses are much more subtle. They don't cause mindless destruction. They use your computer to illegally profit their writers. As such, they attempt to evade detection, because as soon as you detect them you would run an anti-virus scan and delete them! They also always set themselves to start up when the computer starts up, which is dependent on them gaining administrator access to your computer.

Once they have administrator access, they can evade detection until you run an anti-virus program that knows about them.

We all know that Windows programs don't run in Linux. A virus is simply a Windows program, so it doesn't run in Linux. This is because Linux programs use a different format to Windows programs - Windows programs use the EXE format, Linux programs use the ELF format. Even if Linux could understand EXE, it would be pointless because the programs would be trying to interact with Windows shared libraries or (in the case of viruses) the Windows internals directly, which of course are not present on Linux.

If you download a Windows trojan and double-click it on a Linux system, you get a "Cannot open file 'boobs.jpg.exe'" message. Linux doesn't understand the EXE executable format, only the ELF executable format. If you install a program like Wine, that can understand the EXE format and also allow the use of Windows shared libraries, you'll still find that viruses won't work. This is because the viruses try to gain access to the running instance of Windows, and of course there isn't one.

Or, if they are programmed more conventionally, they manage to install themselves into a system-wide area in what they think is your Windows installation, but is actually just a Wine installation in your home directory. The result is that the virus might keep running until you quit Wine or until you restart. If you restart and then run  a Wine program, the virus still won't be run, because Wine doesn't perform a Windows startup sequence.

Even if a Windows virus was aware of Wine running on Linux, it still could not start itself up when Linux starts up. Linux's startup sequence requires root access, and there has never been any known way of getting a Windows program to give Wine the higher privileges necessary to modify the Linux startup sequence.

This is all fine in theory. I'm a big fan of the documentary series "Medical Mavericks", which documents the lives of medical self-experimenters, so I'll put my own computer on the line.

I started with a brand-new GNU/Linux computer that I used every day from its build-date in January, to early July. A virus scan with ClamAV today yields a clean result. No viruses. Also, Wine is not running at the moment, so no Windows viruses are resident. I also had a Windows computer that my father was using (verified as clean on the build-date of the Linux computer), but I had to stop the test early because it contracted zlob.downloader - a nasty form of Windows virus that actually downloads more viruses.

Both computers were connected via local area network, and only the Windows computer had a personal firewall. The whole LAN has a firewall. Neither computer ran any sort of anti-virus between the start of the test and the end of the test.

But what would happen if I took a Windows virus and actually tried explicitly running it in Wine? I found a virus on a Facebook group, downloaded it, and double-clicked it. Wine started running, and then immediately ended. Neither wine, nor wineserver, nor the virus program itself, was running anymore. I tried running Wine in a terminal, but no error messages were output. The virus started running, and then immediately stopped running. I checked again with ClamAV, and it found the copy of the virus that I was trying to run, but it didn't find any copies in /etc/init.d  or anywhere else on my hard disk.

So do you need an anti-virus program in Linux? No, absolutely not! Windows viruses do not run. There are no Linux viruses, partly because there's no place in the system for a Linux virus to hide, and partly because of all the security features in a modern Linux system. There are few Mac viruses, and all of those take advantage of Apple-specific security blunders.

If you still want to install an anti-virus program on your first desktop Linux system, after all I've told you, then I'm concerned that you won't be able to break the Windows habit. But I'm sure that most, if not all of you, now understand more about why anti-virus is useless on Linux, and I warmly wish you good luck with the rest of your Linux adventures.

Mac OS X Debunked

There is a lot of confusion in the Linux world about Mac OS X. I will now get rid of the confusion.

Confusion: Mac OS X is open-source.

Fact: Mac OS X contains many, many proprietary parts. In fact, most of it is completely closed-source.

Confusion: The core of OS X is open-source.

Fact: The core of OS X is an operating system called Darwin. Darwin consists of userland utilities, a bootloader called BootX (not to be confused with the Old-world Mac Linux bootloader), and the XNU kernel.

Darwin for PowerPC is open-source, and earlier versions of Darwin for x86 are open-source. However, from January 2006 to August 2006, Apple closed the source code of Darwin for x86. Apple  publicly said in May that they will not release it. Proving Apple's ability to change its mind, (latest version of Hypercard, anyone?), in August they did release it. This wasn't the first time the source code was closed, and seeing how the Osx86 project is going, it probably won't be the last time.

The derivative of Darwin which is an actual part of OS X is not really open-source. It contains proprietary drivers, and who knows what other proprietary bits?

Confusion: The OS X kernel is based on FreeBSD.

Fact: Apple themselves have seemed a little hazy on where their kernel has come from. Their website said on a couple of occasions that the OS X kernel was based on NetBSD. What they are saying now is that the kernel is based on FreeBSD, with bits from NetBSD (probably the Bluetooth stack).

According to Apple, there are changes that they made. Apple claims that the changes were pretty small, and improved performance. I don't believe those claims, but I haven't compared codebases to check. I suspect it's more a NeXT kernel than an actual BSD kernel.

(Incidentally, the kernel is called XNU. One presumes that stands for “XNU is Not Unix” - an apt name)

Confusion: Since the OS X kernel is based on FreeBSD, I can run Mac programs on my generic PC just by installing FreeBSD.

Fact: Nope. The Mac's executable format is not understandable by any free software OS'es, not even Darwin (which isn't really very free). Also, you've got to remember that a program is not able to be run on a different operating system unless the relevent libraries are available. Mac OS X programs use the libraries that come with OS X, and these are proprietary and cannot be installed on any free operating system. Not even FreeBSD, which in reality only forms a miniscule part of the actual OS X system.

Confusion: Mac OS X is Unix-based. Linux is a free implementation of Unix. Security flaws in OS X are something that should concern all Linux users.

Fact: Not really. The security flaws in widely-used parts of OS X (like PHP, Python etc) may be of concern to Linux users, if the flaw is cross-OS. Of course, Apple modifies cripples programs like Python on OS X, so there may well be vulnerabilities introduced by Apple's own hacking. But what about vulnerabilities in the OS itself? See next question.

Confusion: Mac OS X is Unix-based. Therefore, it is secure against attack.

Fact: Apple is trying to make inroads with the home user and small business markets by saying that Mac OS X is secure. It's true that there are no OS X viruses in the wild at the moment, and it's true that OS X's security model is better than the one in Windows XP. But in comparison to a truly secure operating system, is OS X as good?

Other dumb security flaws revealed over the years include Safari's assumption that it's safe to run shell scripts inside zip files that you download, and a way for a limited user to get a root shell that many people accidentally discovered.

Safari is the Apple equivilant of Internet Explorer 6 – comes with the operating system and provides most of its security flaws. Both the Windows version and the iPhone/iPod Touch versions of Safari have a particular security flaw that will, without warning, download an executable to your desktop from an untrusted IFRAME. This exact same flaw was present in Internet Explorer 6, and it was fixed with XP Service Pack 1. That's right, Apple is making the same mistakes that Microsoft made years ago.

While we're on the subject of the iPhone and Windows XP, Apple is about to release a firmware update for the iPhone. Usually I wouldn't take any notice of the announcement, except that the new firmware is said to create a limited user account for the user, and ending the practice of absolutely everything running as root (administrator) on the iPhone. Not even I would have believed that Apple would run the iPhone entirely as root, but it seems that they did, changing the policy only when it became a necessity to open the iPhone up to third-party programs. Even on a supposedly “closed” platform like the iPhone, it is still an insane idea to allow all preinstalled code, web browser and untrusted wifi data, have access to root. Microsoft stopped that practice a year ago with the release of Windows Vista, after they realised that malicious websites could convince a web browser (Firefox, IE, Opera, Safari etc) to run arbitrary code.

Does Apple care about security at all? Probably not; if you try to update to Leopard and you have a long (therefore strong) password, you could be locked out of your own system... at least until you get into a terminal and fix it. What a penalty for being security-minded! Does this mean that everyone at Apple has a short password? Maybe they highlight their passwords in a Webster's Dictionary in case they forget them!

BTW: Mac wireless users, make sure your name isn't being broadcast to the world via your “computer name” (e.g. Joe Blogg's Computer). It's not a bug, it's a feature!

Confusion: Apple has a Yum-like automatic software updater, so you can get security updates whenever they become available.

Fact: True in theory. Partly true in practice.

Yes, the software gets updated when Apple makes the update available. When does Apple make the update available? As soon as it has a bunch of updates for other programs. Linux distributions package security updates and push them to users within 24 hours; in the enterprise distros it can be within an hour. Mac OS X pushes them to users in a week or so. If you're lucky. A study showed that the shortest patch time for recent Apple security updates was 80 days, which surprised even me.

But shockingly, early last year, a bug that sent e-mail passwords in cleartext over the Internet remained unfixed in OS X for 4 months after it was fixed upstream (in the relevent OSS project). Apple, if you're wondering why no-one is buying the Xserve, you might want to look at this.

Confusion: Linux is fast on my machine. OS X is based on Unix, which means it should be fast.

Fact: Mac OS X is slow. Nobody quite knows why. Personally, I suspect it's a combination of these things:

1. Using a microkernel (these are slower than monolithic kernels). No, fanboys; it's a microkernel.

2. Possible use of the Java Virtual Machine for common tasks

3. Use of Objective-C (a higher-level language than C with many features of the popular interpreted languages) in operating system and applications. Many people say that an entire operating system coded in C++ would be too slow. Objective C is slower than C++.

If the choice is between running Windows XP Home and OS X, then OS X could be faster if you're big on multitasking. Then again, maybe it won't unless you have a dual-core or dual-processor machine. In a race between XP Pro and OS X, it's a forgone conclusion; OS X is so hopelessly inefficient.

Of course, in a race between OS X and Linux on speed, the latter will win. Such races have been held. No prizes for guessing who won. Admittedly, some functions may be faster on OS X due to different kernel and library design; but most of the time, the penguin is in the lead.

Confusion: OS X is POSIX-compliant.

Fact: In reality, OS X does not satisfy all requirements for POSIX-compliance. In POSIX-operating systems, all files must only have one fork (“fork” is used here as a word meaning “section”). The Macintosh, however, actively uses and encourages files with two forks. POSIX systems and Windows only recognise one fork (the data fork), and can not read the Mac's other fork (the resource fork).

Whereas Linux and Unix can both share application source code freely, the code often needs modification before it will compile and run on OS X. Some of this has to do with OS X's hiding of certain crucial system directories – something a truly POSIX-compliant operating system would not do.

Confusion: You're a Mac hater!

Fact: My first, second, third, fourth, fifth, sixth and seventh computers were all Macs running the Classic Mac OS. I tried OS X, but it made me switch to Ubuntu. I've got an x86 PC now running Ubuntu.

But I still occasionally use my sixth Mac – the iMac which runs OS 9 and Ubuntu. In terms of hardware, Apple is pretty good (NOTE: I wrote this article before the Macbook Air came out). In terms of application software and eye-candy, Apple is pretty good (I have to take points off for iTunes – even without the DRM, spyware and horrible brushed-metal look it's still a piece of unusable bollocks). In terms of operating systems, Apple needs a wake-up call. Just because NeXTStep is a fondly-remembered OS from the 90s, doesn't mean we want to run it on today's computers. Apple can potentially cut off Microsoft's limbs, and I'd like for them to do it; but they aren't going to do it with an operating system marginally better than Windows.

And next time, make a genuine effort with the open-source community. For instance, why not try letting your volunteer bug-fixers see your BUG TRACKER, for goodness sake? Or hey, if some people want to help you make your operating system better for free, give them some bloody support.

Welcome to the new section of the blog. Basically, I have some things that I've written that sit in my home directory and get updated. I'm sure these would be interesting or useful to people, especially since they get updated, so rather than get some free webspace or (shock!) paid webspace I'll just put them up here. I can edit posts on this blog, so I'll just do that whenever I have something to add. And I can "permalink" to the articles from the Ubuntu Forums.

Following shortly will be the "Mac OS X Debunked" and "OS X - Desktop Ready?" articles - the latter I'm sure you'll get a kick out of.