[kwlug-disc] so ... what's your opinion on linux anti-virus software?

unsolicited unsolicited at swiz.ca
Fri Feb 6 22:04:24 EST 2009

Apologies to the list, for those uninterested.

This thread is akin to Windows vs. Mac. There is no answer, there is
no resolution. But a lot of air gets thrown about anyways.

Not a bad thing, but can be wearisome for those not interested.

Zeke's vs. presentation.

Apologies to Bob for his hijacked thread.

Chris Frey wrote, On 02/06/2009 4:40 AM:
> This was the response / rant I wrote beforehand, and since your
> reply indicates that most of these points were intended for both
> plain users and admins, it's probably valid to post this now.
> Response to your second email is below as well.
> I may disagree (in a spirited manner), but it's not personal. :-)

Agreed. And well presented IMO.

> On Thu, Feb 05, 2009 at 09:20:52PM -0500, unsolicited wrote:
>>> I think that it needs to be explained to new Linux users that their
>>> world view of computers will have to change slightly.
>> Nope. Sit down at a keyboard, get things done. The computer is the 
>> means not the end.
> I don't see how these things need to be mutually exclusive.  I think
> a user's world view _should_ change with a new operating system.
> Switching to Linux is a learning experience that should not be wasted.

Bear in mind, my perspective here is, essentially, 'getting Linux to
the masses.'

My point is that what should happen, from an enthusiasts point of
view, and what does happen, or we would like to happen (_everyone_ be
happy and productive Linux users, producing good stuff all day long,
with secure and malware-proof systems), aren't the same. What we would
like to happen is everyone get that new toy and get on with their day.
Of those, very few will see 'getting on with their day' as playing
with the OS. Or the window manager.

People in general don't want to learn. Or to have that learning bound
up in intuitive doing. I will not take a course or tutorial in using
my toaster, I will plug it in and stick a piece of bread in. Full
stop. Computers are not an end in themselves.

> A new Linux user gets to realize that the GUI does not have to be part
> of the OS, that he can pick which one makes the most sense to him.

He doesn't care. About OS, about windows manager. Can I read my mail?

> He gets to better understand how the OS can protect him, and make use
> of those protections.

He doesn't care. It's not in his worldview.

> Of course, there's nothing wrong with sitting down at the keyboard and
> getting things done immediately.  Linux can do that.

Except, as this thread started ... what about them virus thingies?

>>> Instead of viewing
>>> security as something you buy and run in the background, security
>>> is now a process, and they are now in full control of it.
>> Security is something for someone else to worry about. Even if I'm the 
>> user. I'm not going to think about it, I have other things to do.
> You've gotta be kidding. :-)

I wish I were.

How many would notice if that toaster came with a non-polarized plug?

> I know _I'm_ not going to visit my friends' houses everyday to do an
> apt-get update && apt-get upgrade.  They need to learn to do that for
> themselves.  And if it is wrapped in a GUI, and it works, and it's easy
> to do, there's no reason for them not to learn how to do this, and the
> reasons why.

But they don't. I've heard it said that people can't be allowed to
work that way. But they do. It is up to the installation to prevent
them from working that way.

I expect FutureShop, GeekSquad or whatever, makes some bucks fixing
users systems that have slowed to zero due to viruses. Most likely
due to expired Symantec licenses.

How many people keep their tires inflated properly. Especially in
winter. (Temperature changes having a significant impact on inflation
level.) When's the last time you checked the pressure in your spare?

	THIS IS YOUR LIFE PEOPLE! But we don't do it.

>> It had better be perfect, out of the box.
> Nothing as complex as an OS is perfect out of the box.  And if it looks
> perfect, it's only an illusion until the first bug is found.

I turn on the new TV and get a picture. Life is good. Where's the
game? (As in sports.)

>>> Do they run random software from sources they don't trust?
>> Yes. They do, and will. Deal with it. (See - out of the box.)
>> You will never convince them otherwise.
> Until it costs them personally.

That's true. Until memory fades and in happens again. Malware getting
more and more sophisticated.

> I'd rather give them an education suitable to their experience level, and
> give them fair warning of what could go wrong, than mislead them and tell
> them that this magical Linux box will behave contrary to reality.

Most will never talk to anyone. Certainly not them geeks from the LUG
- they talk so fast and I don't understand them and I don't really
care. (If I run at home what I do at work, I won't have to learn
anything. Which goes back to Linux being the standard on office desktops.)

> Of course, they can then ignore that advice and run random binaries as root.
> But I'm not their insurance company when their bank account gets hacked.

No, in this case, their bank is Microsoft. Who's these Debian / CentOS
/ RedHat / Fedora people, anyways? What's a NetDirect?

When they call this bank ... and your credit card number is ... click.

They won't call anyone. It works, or it doesn't.

>> Think of it this way:
>> - when you flick the light switch ... you're done.
>> - when you pick up the phone, you get dial tone. You're done.
>> - when you put a piece of toast in the toaster ... if you're REALLY 
>> LUCKY, they might know to not stick a fork in it to fetch the toast.
> These are all very simple operations.  If all you want to do is write a
> letter and print it out, Linux can be made to be that easy as well.

Back to thread start. Basic point is, out of the box, 'virus'
protection should be in place. Full time, on the fly.

Yes, they can write and e-mail that letter. But in the process they
should not be able to expose themselves, or others, to malware.

(Part of the insidiousness of providers, these days, is coming with
Symantec AntiVirus. Oops, what do you mean it's only good for 1 year!
It has created a culture of 'coming with the OS.') Let alone Windows 
coming with solitaire.

>> 	I don't know if it's true or not, but there was a Boston Legal 
>> episode where the lawyer had to ask something like 'Do you think it's 
>> reasonable that you stuck a fork in the toaster ...'
> I know people in general can be dumb.  But I've not lost all hope that
> they can be educated.
> Most people need a reason to learn, though, and the computing industry has
> done their best to hide those reasons from the users.
> If I see some poor sap probing about in his toaster with a fork, I'll
> tell him to unplug it first.  He may not realize it is dangerous, but once
> educated, I'm sure he'll think ahead next time.

Ah, you're young. Give it time - jaded cynicism will join you too.

>>   Their security
>>> experience on Linux will be the same as on Windows.
>> "What's security?" (i.e. don't care, foreign term, so ignore it and 
>> get on with your day.)
>>> Do they run all programs as root?
>> They don't know. They don't care. They sit down and ...
>> That's it.
>>> Or do they learn how it works to
>>> create and use multiple accounts on a machine?
>> They do not.
>>> Do they install the OS and then forget about updates?
>> Yes. Unless updates are turned on automatically / for them.
> These things have to be explained in terms they can understand.  I don't
> expect new users to have the foggiest notion of what 'root' is, but I'm
> writing on a Linux mailing list, so I figured it was clear.
> If I don't explain these things, at appropriate times, in appropriate
> terms, then of course they will continue running things as root
> and ignore security updates.  Whose fault is that?

BUT YOU'RE NOT THERE. They go to FutureShop, buy a box, turn it on. We
WANT them to see Linux when they do so. MS Defender or whatever
they're calling it now, will be pre-set. Linux needs to do the same.
It needs to be safe out of the box.

(We won't go in to all the $$$ arguments why Linux isn't
pre-installed. Some day we'll get there. We've all seen in the last
few years some rays of hope. It will come. Not likely in my lifetime,
but it will come.)

>> e.g. Rogers and other vendors frequently come with Symantec 
>> anti-virus. They blindly install it and get on with their day.
>> After a year, when signature updates stop doing so, they just click on 
>> the warning to get it out of their way without reading it.
>> Then wonder how they got a virus, they have anti-virus software 
>> installed, after all.
> People trust Rogers and Symantec.  And Rogers and Symantec are in the business
> of making money and selling "solutions."
> When things don't work, the poor user doesn't realize that he was led down
> the wrong path by those very same Microsofts, Rogers, and Symantecs.  And
> by then, he's so far down that path, that anything else seems alien.

<sigh> Well put.

>>> After pointing out all the changes they will have to make, then point out
>>> how Linux makes those changes easier:
>> They don't care. If I wander around with the mouse, clicking things, 
>> can I figure out what to do to make it do what I want?
> That is the Microsoft way of doing things.

No, it's the people way of doing things. Why should we think computers
should be different.

Be it Ford, GM, Chrysler, GM, Toyota, Mazda, Nissan, Mitsubishi ...
turn the key, push the gas pedal, push the brake pedal. Done.

> People have been trained to think that way, because the software encourages
> it, and doing it differently can be _hard_.

Until those exposed to Windows XP (which is to say, a GUI with a start
button) in JK grow old and die, that's the way it is. We have to deal.

> I think it is easier to do things the right way on a Linux system than it
> is on a Windows system.  And I think that gap is growing, not closing.
> Linux is getting better, and Windows is getting worse.

But Windows is what they are exposed to first. Anything else is
different. I certainly don't like it, but I have to deal. e.g. As
discussed at Zeke's a few months back ... yet again, somehow, MS has
taking over the colleges and universities. <sigh>

> Vista put the user on hyper-click-anything training.  The correct response
> to an unsafe activity is to just not allow it.  Don't put a popup in the
> user's face.
> And if the new user really and truly doesn't care, why is he switching to
> Linux in the first place?  Why go through all the pain of learning a new OS
> just to do everything the same way you did it on Windows?

He doesn't look at it as a new OS, he looks at it as not costing him

>>> 	- Almost all the software they will ever need is already available
>>> 	  in a repository they can trust.  No need to search the internet
>>> 	  for a utility to do some task... search the free repository first.
>> Sure. And which of the 500 choices they have for any given thing will 
>> they chose? And what's a 'pidgin' anyways?
>> And after trying the first dozen, all of which don't work, are for a 
>> different version / library, are no longer maintained, and so on and 
>> so forth, they'll give up and go watch the latest game on TV.
>> This is why the *buntus are so compelling and needed - try to narrow 
>> the choices down closer to the 'one true way'. Which inevitably isn't, 
>> or, more likely, is incomplete. (i.e. does most of what they want to 
>> do but is missing a something they're looking for.)
>> Take IM's for example. There are lots out there. Convergence is 
>> happening, so you have a moving target. Video live calling anyone? 
>> (Don't ask me how you go from _instant_ _messaging_, i.e. one time, 
>> one off, non-confirmed / replyable, to live video calls, but, well, 
>> there you go.) Not much different than blackberries bastardizing 
>> e-mail into instant messaging.
> This doesn't really contradict my point, which was that all those 500
> choices can be trusted, because they are packaged by the same place
> you got your OS.  And your OS provides security updates for all 500.
> The same cannot be said of the 500 choices you find in a Google search.

To the users, there's little difference. They clicked here or there
and got a new computer toy to play with. 'Trusted source'? What's
that? Isn't everything to be trusted ...

> Usability is a separate issue.  Important, but separate.
> Maybe you shouldn't be using an OS then.

But it's the 'in' thing! Gotta get one! Isn't this cool!

> The whole point of a PC, and the whole point of an OS, is to be general
> purpose.  I can put a student, a child, an engineer, or an accountant
> in front of the same machine, and it can be used different ways for
> all of them.

To the user, it's an appliance.

> That kind of complexity doesn't come for free.  And the OS world isn't
> advanced enough yet, in Windows or in Linux, to make it look free.  The
> costs keep leaking through the cracks in the facade.

But Linux is free. Ain't it?

You mean it's complex? What do I know, or care? I move this mouse
thingie, maybe, MAYBE, hit a few keys ...

I'm not really too far over the top here.

>> You may think I'm kidding here. I am not. I am on Chris' side of the 
>> computer learning curve depicted here. I understand his points, and 
>> that someone (preferably the os developer / installer) needs to get 
>> this done.
>> But the users are not.
>> Why do you think Linux had not blown windows off the desktops? Why 
>> have we not all blown away MS Office for Open Office? Read above. 
>> Think 'Outlook.'
>> When I pick up the phone, do I get dial tone. When I punch those 
>> button thingies, can I talk to the person I'm calling?
>> NOTHING else matters.
>> It's the apps that matter.
>> For purposes here, anti-virus is not an app. It's a necessary evil 
>> that I'm not going to think about - it's in the way. ... and why is my 
>> mouse so slow now???
> It's a necessary evil because the world is using a general purpose tool
> connected to a general purpose network filled with general purpose people,
> and then expecting the ease of a single purpose tool.

Yep. What's your point? ;-)

> It is possible to use Linux to make the machine very close to a single purpose
> tool.  But people want to do more than one thing with their desktop.
> I don't think that bandaid solutions like anti-virus will solve the
> security issues facing users.  Only education can do that.  There are lots
> of security problems that anti-virus hasn't a hope of solving, but
> education has that hope.

True enough. But we're not there yet. And we have to get along in the
mean time. By 'anti-virus' I mean 'safe' here. Anti-virus is a
component of that. I shouldn't get harmed, I shouldn't be able to harm
others - it should just happen. I won't think about it.

> I think we need to stop pushing computers as a simple device.  People should
> have a little respect for them, for the good of their own data.  And people
> won't have that respect if we keep treating users like dummies and hiding
> the logic of the system from them.

I understand what you mean, but you presume people don't want to be

You push the handle, the toilet flushes. How often do you think about
the incredible complexity and distribution system behind getting water
in and out, or where it comes from and goes to?

>> It's not just the idiot user I have to worry about ... it's the idiot 
>> user's son in the office waiting for Mom or Dad, or that passerby 
>> wanting to make a quick check of their e-mail as their laptop 
>> battery's dead.
> You shouldn't have to be worrying about the idiots.  You can only control
> your own computer, and your own network.  You (the user) should be worrying
> about that security thing you believed was someone else's problem in the
> second paragraph... :-)

That's just wrong. I'm the admin, they're on my network, I cannot
allow them to harm others. I cannot allow myself to be harmed by them.
I cannot allow them to infect me such that I may pass it on to others.
I have no control over what they do once I ship them the computer. So
I, as deployer, put some safeguards in. To them, 'it came that way.'
It's the OS.

The idiots are the ones in control. Or, as an admin, the idiots are 
out there, they are allowed to connect (beyond my control). I as admin 
have to quarantine them, accommodate them, work around them, and work 
them in.

At home, bad things are out there. I cannot allow myself to be harmed
by others, or to harm them. For those others, the distribution is how
'it came that way.'

>> Yes, users need to be educated. No, they don't want to be educated. 
>> No, they shouldn't need to be educated. (Better software / fewer hackers.)
> I agree with the first 2 points, but strongly disagree with the 3rd.
> Better software, sure, absolutely, but users do need to be educated.
> They don't need to be computer scientists, but how else will they have
> a hope of knowing not to click on the new shiny that gets through the filters?

Because it shouldn't have gotten there in the first place. Out of the box.

To your point regarding complexity - yes, they will inherently get
some education, to the extent they are willing to absorb.

That education will be about how to use the app, not the OS, or

> On Fri, Feb 06, 2009 at 12:48:11AM -0500, unsolicited wrote:
>> Chris, you are absolutely right, in a perfect world. Everybody would 
>> have the time, inclination, and energy, to learn everything about 
>> everything. It just ain't so. If you'd like, wherever you saw toaster, 
>> substitute digital camera or mp3 player. Which is, really, just a 
>> diskette in another form. How about a cell phone?
> I definitely don't have the time to learn everything about everything,
> and I definitely understand the declining energy idea about learning
> new stuff.
> But I cannot in good conscience ignore my own responsibility for making
> things work, nor can I ignore my own responsibility for keeping my own
> data safe.  Fortunately, I understand computers, so I don't have to pay
> someone else to help me.  But for those that are not computer scientists,
> a little education can sure help out if they listen.  And if they don't,
> then they pay, and pay, and pay.

Paying is true of anything. Same can be said about car tuneups.

You presume people understand they have a responsibility. Or care. It
just comes that way ...

>> But we have no business expecting the same of those not similarly 
>> inclined. We have every business of encouraging them to use these 
>> tools to do something. They should be able to do so without having to 
>> learn computerese and be constantly looking over their should in the 
>> process.
> This is definitely a reason to switch to Linux (to avoid having to look
> over your shoulder), but it's not a reason to stop educating users,
> even if they don't want it.
> I don't think we have the luxury of pretending education is superfluous.
> Computers are not advanced enough to make up for a dumb user.  Linux isn't,
> and Windows surely isn't.  The burden rests on the poor user, and he needs
> education.

I don't think we disagree. But the education has to occur along the
way wherein people unconsciously absorb the material.

Not by having to spend multiple hours reading a book or screen and
learning about X before they can press 'Go.'

They put in a distro, and start playing. And learning about apps when
they do - not the OS. The OS needs to keep them safe, inherently. Or, 
rather, the OS needs to reassure them that their perception that they 
are safe is true.

>> We have long past the point of expecting every car owner to be able to 
>> do their own tuneups. The complexity has gone past us. As with computers.
> But we do expect people to know that the oil needs to be changed every
> few kilometers, and the tires eventually wear out.  If people treated their
> cars like they treat their computers, the roads would be a sad sight.
> I'd hate to see what would happen if a car "user" drove on random roads
> just to see if one "worked", while complaining that he just wanted to get
> to the store and why does driving have to be so complicated! :-)
>> My arguments apply to any user of any computer at any time.
>> They sit down to get something done. They don't sit down to use or 
>> apply security updates, virus patches, or OS / kernel updates.
>> Say I had a pleasant afternoon and took some pictures. Now I'd like to 
>> see them. Full stop. That's all I should have to think about.
>> Say tomorrow I take an 8 year old for an afternoon and take some 
>> pictures. We'll go home and fire up edubuntu to look at them. He 
>> shouldn't have to worry about viruses. Not that they will prevent his 
>> computer from booting, not that they will destroy the pictures he so 
>> carefully crafted, not that opening one will take him to a porn site. 
>> And he shouldn't have to worry that sending a picture to grandpa may 
>> give grandpa a virus.
> The 8 year old shouldn't have to worry about those things, but his parents
> surely do!

Of course - they're the ones who got the 'safe' distro, then walked away.

> We can't let people load pictures into their computers as if it was some
> black void.  They don't organize their printed pictures like that.
> Why should they expect to not pay attention when they add an ultra-
> complex thousand dollar machine into the mix?

Because it cost a thousand dollars.

People don't print pictures any more. That's why digital picture
frames are selling now. Dump camera contents to frame - inherent
organization - order in which taken (time linear).

> You didn't even mention backups, and hard disk failure, and software bugs,
> and CD disk failure.  Computers are complex, and we are doing users a
> disservice telling them anything else.

That presumes we are ever given an opportunity to tell them anything.

They get this CD ...

> And (back to the original argument) saying that users are safe just because
> they have antivirus is one of those disservices.

Not what I said. They are safer. The OS needs to be safe, out of the
box. Anti-virus is one way, one of the few ways we have, of getting there.

And there are lots of nefarious people out there.

>> They (users) know viruses and other 'bad things' are out there - given 
>> our education and practical experience. Better be protected. Don't 
>> understand them, but better be protected. Doesn't matter whether I 
>> need it or not, I need to know that I'm covered. Full stop. I need to 
>> not have to think about this any more. I installed Kubuntu and klamav, 
>> I'm protected. I've been responsible. Full stop.
>> If only it were that simple. It should be that simple. It should be 
>> part of the distro.
> Wouldn't it be better if they did understand it?  Wouldn't it be better
> if they understood that clicking on an untrusted program in email is
> like inviting a stranger into your home and giving him the keys?

I think you're missing one of my points ... there's only so many hours
in a day. If they have a choice of spending time listening to that new
mp3 they downloaded, or reading up on security update procedures ...

They just don't. What they should and shouldn't do is irrelevant. What
they do do, is. Because of that, we have to protect ourselves, and
each other. Inherently.

> Certainly, Windows needs anti-virus going at all times, because it is
> possible for a virus to get in while the user isn't necessarily doing anything
> "wrong."  But bugs like that get fixed in Linux, if they apply security
> updates, and the control for operating a solid computer is now in the
> user's hands.  They don't have to apply an anti-virus bandaid for a problem
> they don't understand, and then cross their fingers and hope for the best.

You presume the security fix arrives before the security vulnerability
is exploited. (Which is sort of chicken and egg.) This isn't true,
even on Linux.

Your position assumes automatic security updates are turned on out of
the box. (Why is it so great a leap that anti-virus updates are also
turned on out of the box?)

> They can if they want, but they don't have to.
>> In your particular example ... people from Windows have learned they 

Your missing a point ... it's not people from Windows ... it's people
from computers. It's a computer people, it's not windows, it's not
Linux, it's a computer. See, it has a mouse and keyboard and monitor.

>> need certain things to 'feel safe'. I perfectly understand why Bob got 
>> asked the question he did. Windows, or anything else, the same 
>> principles apply. Whether Linux is likely to get a virus today, it 
>> will tomorrow and as the years come. Take 2 pills and call me in the 
>> morning. You'll feel better (safer) for doing so.
> Maybe I'm odd, but I want to know what those 2 pills are before I take them,
> and what medical issue I have that needs it.

Do you read and consider every ingredient of everything you buy in the
grocery store?

Isn't all the food in there safe?

> And I don't like telling people to do something without a reason.
> Without a reason, they won't understand, they won't remember, and they
> won't do it.

But they don't care. I'm sick - here's a pill. Thanks! Bye now.

Society has self-inflicted this attitude upon themselves, I agree.

Are computers really any different?

> Installing antivirus and telling people that they're safe is letting them
> off the hook way too easily.

Maybe. That's the way it is.

Sit down in a car ...

> [snipped other text]
>> </rant - with apologies (^:>
> No apologies needed. :-)
>> It's the apps, people.
> Actually, it's all about taking responsibility for your own computer.
> Whether that is:
> 	- Windows + Updates + Antivirus + Knowledge, or
> 	- Linux + Updates + Knowledge, or
> 	- Linux + Updates + Antivirus + Kitchen Sink + Knowledge, or
> 	- Black Box Computer + Paid Tech Support
> is up to you.
> Interesting discussion anyway. :-)

Been going on for a long time. Years now. Will continue to do so.

Not much different than "who's your favourite team" or "favourite beer."

More information about the kwlug-disc mailing list