[kwlug-disc] so ... what's your opinion on linux anti-virus software?

Chris Frey cdfrey at foursquare.net
Fri Feb 6 04:40:04 EST 2009

This was the response / rant I wrote beforehand, and since your
reply indicates that most of these points were intended for both
plain users and admins, it's probably valid to post this now.

Response to your second email is below as well.

I may disagree (in a spirited manner), but it's not personal. :-)

On Thu, Feb 05, 2009 at 09:20:52PM -0500, unsolicited wrote:
> >I think that it needs to be explained to new Linux users that their
> >world view of computers will have to change slightly.
> Nope. Sit down at a keyboard, get things done. The computer is the 
> means not the end.

I don't see how these things need to be mutually exclusive.  I think
a user's world view _should_ change with a new operating system.
Switching to Linux is a learning experience that should not be wasted.

A new Linux user gets to realize that the GUI does not have to be part
of the OS, that he can pick which one makes the most sense to him.
He gets to better understand how the OS can protect him, and make use
of those protections.

Of course, there's nothing wrong with sitting down at the keyboard and
getting things done immediately.  Linux can do that.

> >Instead of viewing
> >security as something you buy and run in the background, security
> >is now a process, and they are now in full control of it.
> Security is something for someone else to worry about. Even if I'm the 
> user. I'm not going to think about it, I have other things to do.

You've gotta be kidding. :-)

I know _I'm_ not going to visit my friends' houses everyday to do an
apt-get update && apt-get upgrade.  They need to learn to do that for
themselves.  And if it is wrapped in a GUI, and it works, and it's easy
to do, there's no reason for them not to learn how to do this, and the
reasons why.

> It had better be perfect, out of the box.

Nothing as complex as an OS is perfect out of the box.  And if it looks
perfect, it's only an illusion until the first bug is found.

> >Do they run random software from sources they don't trust?
> Yes. They do, and will. Deal with it. (See - out of the box.)
> You will never convince them otherwise.

Until it costs them personally.

I'd rather give them an education suitable to their experience level, and
give them fair warning of what could go wrong, than mislead them and tell
them that this magical Linux box will behave contrary to reality.

Of course, they can then ignore that advice and run random binaries as root.
But I'm not their insurance company when their bank account gets hacked.

> Think of it this way:
> - when you flick the light switch ... you're done.
> - when you pick up the phone, you get dial tone. You're done.
> - when you put a piece of toast in the toaster ... if you're REALLY 
> LUCKY, they might know to not stick a fork in it to fetch the toast.

These are all very simple operations.  If all you want to do is write a
letter and print it out, Linux can be made to be that easy as well.

> 	I don't know if it's true or not, but there was a Boston Legal 
> episode where the lawyer had to ask something like 'Do you think it's 
> reasonable that you stuck a fork in the toaster ...'

I know people in general can be dumb.  But I've not lost all hope that
they can be educated.

Most people need a reason to learn, though, and the computing industry has
done their best to hide those reasons from the users.

If I see some poor sap probing about in his toaster with a fork, I'll
tell him to unplug it first.  He may not realize it is dangerous, but once
educated, I'm sure he'll think ahead next time.

>   Their security
> >experience on Linux will be the same as on Windows.
> "What's security?" (i.e. don't care, foreign term, so ignore it and 
> get on with your day.)
> >Do they run all programs as root?
> They don't know. They don't care. They sit down and ...
> That's it.
> > Or do they learn how it works to
> >create and use multiple accounts on a machine?
> They do not.
> >Do they install the OS and then forget about updates?
> Yes. Unless updates are turned on automatically / for them.

These things have to be explained in terms they can understand.  I don't
expect new users to have the foggiest notion of what 'root' is, but I'm
writing on a Linux mailing list, so I figured it was clear.

If I don't explain these things, at appropriate times, in appropriate
terms, then of course they will continue running things as root
and ignore security updates.  Whose fault is that?

> e.g. Rogers and other vendors frequently come with Symantec 
> anti-virus. They blindly install it and get on with their day.
> After a year, when signature updates stop doing so, they just click on 
> the warning to get it out of their way without reading it.
> Then wonder how they got a virus, they have anti-virus software 
> installed, after all.

People trust Rogers and Symantec.  And Rogers and Symantec are in the business
of making money and selling "solutions."

When things don't work, the poor user doesn't realize that he was led down
the wrong path by those very same Microsofts, Rogers, and Symantecs.  And
by then, he's so far down that path, that anything else seems alien.

> >After pointing out all the changes they will have to make, then point out
> >how Linux makes those changes easier:
> They don't care. If I wander around with the mouse, clicking things, 
> can I figure out what to do to make it do what I want?

That is the Microsoft way of doing things.

People have been trained to think that way, because the software encourages
it, and doing it differently can be _hard_.

I think it is easier to do things the right way on a Linux system than it
is on a Windows system.  And I think that gap is growing, not closing.
Linux is getting better, and Windows is getting worse.

Vista put the user on hyper-click-anything training.  The correct response
to an unsafe activity is to just not allow it.  Don't put a popup in the
user's face.

And if the new user really and truly doesn't care, why is he switching to
Linux in the first place?  Why go through all the pain of learning a new OS
just to do everything the same way you did it on Windows?

> >	- Almost all the software they will ever need is already available
> >	  in a repository they can trust.  No need to search the internet
> >	  for a utility to do some task... search the free repository first.
> Sure. And which of the 500 choices they have for any given thing will 
> they chose? And what's a 'pidgin' anyways?
> And after trying the first dozen, all of which don't work, are for a 
> different version / library, are no longer maintained, and so on and 
> so forth, they'll give up and go watch the latest game on TV.
> This is why the *buntus are so compelling and needed - try to narrow 
> the choices down closer to the 'one true way'. Which inevitably isn't, 
> or, more likely, is incomplete. (i.e. does most of what they want to 
> do but is missing a something they're looking for.)
> Take IM's for example. There are lots out there. Convergence is 
> happening, so you have a moving target. Video live calling anyone? 
> (Don't ask me how you go from _instant_ _messaging_, i.e. one time, 
> one off, non-confirmed / replyable, to live video calls, but, well, 
> there you go.) Not much different than blackberries bastardizing 
> e-mail into instant messaging.

This doesn't really contradict my point, which was that all those 500
choices can be trusted, because they are packaged by the same place
you got your OS.  And your OS provides security updates for all 500.
The same cannot be said of the 500 choices you find in a Google search.

Usability is a separate issue.  Important, but separate.


Maybe you shouldn't be using an OS then.

The whole point of a PC, and the whole point of an OS, is to be general
purpose.  I can put a student, a child, an engineer, or an accountant
in front of the same machine, and it can be used different ways for
all of them.

That kind of complexity doesn't come for free.  And the OS world isn't
advanced enough yet, in Windows or in Linux, to make it look free.  The
costs keep leaking through the cracks in the facade.

> You may think I'm kidding here. I am not. I am on Chris' side of the 
> computer learning curve depicted here. I understand his points, and 
> that someone (preferably the os developer / installer) needs to get 
> this done.
> But the users are not.
> Why do you think Linux had not blown windows off the desktops? Why 
> have we not all blown away MS Office for Open Office? Read above. 
> Think 'Outlook.'
> When I pick up the phone, do I get dial tone. When I punch those 
> button thingies, can I talk to the person I'm calling?
> NOTHING else matters.
> It's the apps that matter.
> For purposes here, anti-virus is not an app. It's a necessary evil 
> that I'm not going to think about - it's in the way. ... and why is my 
> mouse so slow now???

It's a necessary evil because the world is using a general purpose tool
connected to a general purpose network filled with general purpose people,
and then expecting the ease of a single purpose tool.

It is possible to use Linux to make the machine very close to a single purpose
tool.  But people want to do more than one thing with their desktop.

I don't think that bandaid solutions like anti-virus will solve the
security issues facing users.  Only education can do that.  There are lots
of security problems that anti-virus hasn't a hope of solving, but
education has that hope.

I think we need to stop pushing computers as a simple device.  People should
have a little respect for them, for the good of their own data.  And people
won't have that respect if we keep treating users like dummies and hiding
the logic of the system from them.

> It's not just the idiot user I have to worry about ... it's the idiot 
> user's son in the office waiting for Mom or Dad, or that passerby 
> wanting to make a quick check of their e-mail as their laptop 
> battery's dead.

You shouldn't have to be worrying about the idiots.  You can only control
your own computer, and your own network.  You (the user) should be worrying
about that security thing you believed was someone else's problem in the
second paragraph... :-)

> Yes, users need to be educated. No, they don't want to be educated. 
> No, they shouldn't need to be educated. (Better software / fewer hackers.)

I agree with the first 2 points, but strongly disagree with the 3rd.
Better software, sure, absolutely, but users do need to be educated.
They don't need to be computer scientists, but how else will they have
a hope of knowing not to click on the new shiny that gets through the filters?

On Fri, Feb 06, 2009 at 12:48:11AM -0500, unsolicited wrote:
> Chris, you are absolutely right, in a perfect world. Everybody would 
> have the time, inclination, and energy, to learn everything about 
> everything. It just ain't so. If you'd like, wherever you saw toaster, 
> substitute digital camera or mp3 player. Which is, really, just a 
> diskette in another form. How about a cell phone?

I definitely don't have the time to learn everything about everything,
and I definitely understand the declining energy idea about learning
new stuff.

But I cannot in good conscience ignore my own responsibility for making
things work, nor can I ignore my own responsibility for keeping my own
data safe.  Fortunately, I understand computers, so I don't have to pay
someone else to help me.  But for those that are not computer scientists,
a little education can sure help out if they listen.  And if they don't,
then they pay, and pay, and pay.

> But we have no business expecting the same of those not similarly 
> inclined. We have every business of encouraging them to use these 
> tools to do something. They should be able to do so without having to 
> learn computerese and be constantly looking over their should in the 
> process.

This is definitely a reason to switch to Linux (to avoid having to look
over your shoulder), but it's not a reason to stop educating users,
even if they don't want it.

I don't think we have the luxury of pretending education is superfluous.
Computers are not advanced enough to make up for a dumb user.  Linux isn't,
and Windows surely isn't.  The burden rests on the poor user, and he needs

> We have long past the point of expecting every car owner to be able to 
> do their own tuneups. The complexity has gone past us. As with computers.

But we do expect people to know that the oil needs to be changed every
few kilometers, and the tires eventually wear out.  If people treated their
cars like they treat their computers, the roads would be a sad sight.

I'd hate to see what would happen if a car "user" drove on random roads
just to see if one "worked", while complaining that he just wanted to get
to the store and why does driving have to be so complicated! :-)

> My arguments apply to any user of any computer at any time.
> They sit down to get something done. They don't sit down to use or 
> apply security updates, virus patches, or OS / kernel updates.
> Say I had a pleasant afternoon and took some pictures. Now I'd like to 
> see them. Full stop. That's all I should have to think about.
> Say tomorrow I take an 8 year old for an afternoon and take some 
> pictures. We'll go home and fire up edubuntu to look at them. He 
> shouldn't have to worry about viruses. Not that they will prevent his 
> computer from booting, not that they will destroy the pictures he so 
> carefully crafted, not that opening one will take him to a porn site. 
> And he shouldn't have to worry that sending a picture to grandpa may 
> give grandpa a virus.

The 8 year old shouldn't have to worry about those things, but his parents
surely do!

We can't let people load pictures into their computers as if it was some
black void.  They don't organize their printed pictures like that.
Why should they expect to not pay attention when they add an ultra-
complex thousand dollar machine into the mix?

You didn't even mention backups, and hard disk failure, and software bugs,
and CD disk failure.  Computers are complex, and we are doing users a
disservice telling them anything else.

And (back to the original argument) saying that users are safe just because
they have antivirus is one of those disservices.

> They (users) know viruses and other 'bad things' are out there - given 
> our education and practical experience. Better be protected. Don't 
> understand them, but better be protected. Doesn't matter whether I 
> need it or not, I need to know that I'm covered. Full stop. I need to 
> not have to think about this any more. I installed Kubuntu and klamav, 
> I'm protected. I've been responsible. Full stop.
> If only it were that simple. It should be that simple. It should be 
> part of the distro.

Wouldn't it be better if they did understand it?  Wouldn't it be better
if they understood that clicking on an untrusted program in email is
like inviting a stranger into your home and giving him the keys?

Certainly, Windows needs anti-virus going at all times, because it is
possible for a virus to get in while the user isn't necessarily doing anything
"wrong."  But bugs like that get fixed in Linux, if they apply security
updates, and the control for operating a solid computer is now in the
user's hands.  They don't have to apply an anti-virus bandaid for a problem
they don't understand, and then cross their fingers and hope for the best.

They can if they want, but they don't have to.

> In your particular example ... people from Windows have learned they 
> need certain things to 'feel safe'. I perfectly understand why Bob got 
> asked the question he did. Windows, or anything else, the same 
> principles apply. Whether Linux is likely to get a virus today, it 
> will tomorrow and as the years come. Take 2 pills and call me in the 
> morning. You'll feel better (safer) for doing so.

Maybe I'm odd, but I want to know what those 2 pills are before I take them,
and what medical issue I have that needs it.

And I don't like telling people to do something without a reason.
Without a reason, they won't understand, they won't remember, and they
won't do it.

Installing antivirus and telling people that they're safe is letting them
off the hook way too easily.

[snipped other text]

> </rant - with apologies (^:>

No apologies needed. :-)

> It's the apps, people.

Actually, it's all about taking responsibility for your own computer.
Whether that is:

	- Windows + Updates + Antivirus + Knowledge, or
	- Linux + Updates + Knowledge, or
	- Linux + Updates + Antivirus + Kitchen Sink + Knowledge, or
	- Black Box Computer + Paid Tech Support

is up to you.

Interesting discussion anyway. :-)

- Chris

More information about the kwlug-disc mailing list