> That blame still appropriately lies with maladaptive behaviors learned from Windows.
As a Linux nerd who started tinkering around 2001, I’m having a hard time with this framing. Being a Linux user around that era involved regularly compiling code that practically I couldn’t review. While the steps involved were different, the behaviors associated with installing software were not inherently more secure than windows at the time.
The main differences were: 1) I was more technically savvy and thus not as likely to install something obviously dangerous and 2) One just wasn’t very likely to run into a repo impacted by supply chain compromise or somesuch. Those same behaviors today are pretty risky in comparison, leading to threads like this one.
I’d argue that it’s less about windows being a source of maladaptive behavior, and more about windows attracting users who don’t know better than to behave the way they do. If those same low-tech users were somehow using Linux at the time, I don’t think they’d have learned anything more adaptive, and/or Linux would have been a much larger target, changing the threat landscape entirely.
But to go a step further, I guess the question that comes up for me is: why does it matter if it’s the fault of Windows? The typical “OS war” rhetoric never made much sense to me.
To me, the point of running Linux or really any desktop OS is to allow me to go beyond walled gardens.
My brother is a non-technical artist/creator type. If he relied only on the system package manager, he might as well use an iPad.
What you’re framing here as “violating rules” is really just “using the computer for its intended purpose”.
Following those rules may fix the security problem, in the same way that never leaving my apartment will probably protect me from most seasonal illnesses.
We need better ways to universally indicate trust in distributed software beyond system package managers.
> The main differences were: 1) I was more technically savvy and thus not as likely to install something obviously dangerous and 2) One just wasn’t very likely to run into a repo impacted by supply chain compromise or somesuch. Those same behaviors today are pretty risky in comparison, leading to threads like this one.
Yes, and I would add 3) there was no meaningful malware made for Linux back then, because it wasn't a target for malware authors. Otherwise you (and I!) would have been hit. I didn't understand half the stuff I installed on my Linux box back then, and many install instructions were positively arcane.
> To me, the point of running Linux or really any desktop OS is to allow me to go beyond walled gardens. My brother is a non-technical artist/creator type. If he relied only on the system package manager, he might as well use an iPad.
Fully agreed! Furthermore, anyone using Linux back then would have found your opinion entirely uncontroversial. The point of Linux back then was freedom to do whatever. Gardens -- even non-walled gardens -- were not the point.
Sure, if you turned the 90's/2000's herd of Windows users loose on Linux, you'd likely run into many of the same issues. But still modulo needed software being available in a package manager or at least with a higher barrier to entry of developing substantive source code, rather than needing to use sketchy warez or "legitimate" download sites that added in less-severe malware.
But the real condemnation of Windows isn't just an "OS war", but rather the fight is about the virtue of understanding the software in front of you. This is critical to security - not in the small (the idea that an individual can audit every line of code they run is a fallacious straw man), but rather on the large scale. Having published source code allows the building of a distributed consensus that something can be trusted, not beholden to the existing power structure, whereas without that you're stuck trusting the word of a single company and/of their auditors.
Like today we see malware continually being bundled with proprietary software, so often that it's considered banal and just how things are (eg web surveillance). Yet in Libre land when something like this happens it's still seen as an exceptional occurrence that needs to be stomped down hard. That directly follows from the underlying attitudes of unilateral "trust us" versus community consensus.
> We need better ways to universally indicate trust in distributed software beyond system package managers.
I'd love to hear you expound on this. The only two solutions I can see are are trusting and sandboxing. Sandboxing and capability security was a radical pie in the sky idea two decades ago, but now we've got two extremely popular implementations - web javascript and Android. So it feels a lot less like a lofty perfect solution, despite the current failings (both of those implementations have shirked being secure against many types of attacks!).
Is there some third way, especially that isn't just a combination of the two basic existing approaches? I'd love to hear one!
As a Linux nerd who started tinkering around 2001, I’m having a hard time with this framing. Being a Linux user around that era involved regularly compiling code that practically I couldn’t review. While the steps involved were different, the behaviors associated with installing software were not inherently more secure than windows at the time.
The main differences were: 1) I was more technically savvy and thus not as likely to install something obviously dangerous and 2) One just wasn’t very likely to run into a repo impacted by supply chain compromise or somesuch. Those same behaviors today are pretty risky in comparison, leading to threads like this one.
I’d argue that it’s less about windows being a source of maladaptive behavior, and more about windows attracting users who don’t know better than to behave the way they do. If those same low-tech users were somehow using Linux at the time, I don’t think they’d have learned anything more adaptive, and/or Linux would have been a much larger target, changing the threat landscape entirely.
But to go a step further, I guess the question that comes up for me is: why does it matter if it’s the fault of Windows? The typical “OS war” rhetoric never made much sense to me.
To me, the point of running Linux or really any desktop OS is to allow me to go beyond walled gardens.
My brother is a non-technical artist/creator type. If he relied only on the system package manager, he might as well use an iPad.
What you’re framing here as “violating rules” is really just “using the computer for its intended purpose”.
Following those rules may fix the security problem, in the same way that never leaving my apartment will probably protect me from most seasonal illnesses.
We need better ways to universally indicate trust in distributed software beyond system package managers.