Tuesday, December 28, 2010

Haiku OS Development

(original post 7/29/2010)

In early May of this year, the Haiku development team announced the availability of Haiku R1/Alpha2 (Release 1, alpha 2). A typical software project will include daily builds, followed by alpha releases, followed by beta releases, followed by release candidate builds, and then the final release.

For those who are unaware, Haiku is a free and open source desktop operating system that takes over where the proprietary BeOS left off in 2003. BeOS was designed from the ground up circa early 90's to compete with Microsoft Windows and Mac OS. Although it never gained the traction it deserved, it had features that were far more advanced than it's competitors at the time.

Haiku is fast, clean, and slick. It's elegant and beautiful in design. The performance of this OS is absolutely fantastic. The overall performance is, in my opinion, better than any other OS I've ever tried. I suggest running Haiku on your computer off the hard drive to see what your computer's hardware is really capable of. Haiku is designed to take advantage of multi-core/multi-processor computers unlike anything else. Every process in the OS is a thread. This allows the CPU much more versatility in carrying out its processing requirements. It also allows for multi-threading from a single processor. This is not anything new for a modern operating system, but Haiku has been doing these things since it's inception in 1991 and it does it better and to a greater extent than anything else out there.

Earlier I wrote a blog about the advantages Linux offers over proprietary OSs. Well Haiku has, more or less, all of those same advantages. In some cases, such as speed, memory usage, and hardware requirements, it beats Linux hands down.

This system uses around 160 MB of RAM, even with several apps running. Wow. Boot time is also incredible. But with Ubuntu aiming to have a 12-15 second boot time by next year, it won't be winning that arena by the same wide margins for long. I can't say enough about the speed of this system though. It's fast. It's mind-blowingly fast. It's earth-shatteringly fast. It's ball-crushingly fast. It screams. When you launch an application it jumps out at you as fast as you can blink. It makes me smile every time I launch an app!

Haiku is perfect for hardware that is limited on resources, such as a netbook. If India's $35 tablet comes to fruition, I imagine someone could get costs even lower using Haiku due to the lower resource requirements.

Haiku is nascent in terms of open source operating systems, so naturally the selection of applications is pretty thin at the moment. There are some games available for Haiku, but it's not a big list by any standard. However, the Haiku developers successfully ported a development framework called Qt for its use. This means all applications written for Qt on other platforms will work with Haiku. Right off the bat this will vastly expand Haiku's software offerings to include an abundance of media players, IM clients, games, browsers, and a well respected office suite, KOffice.

The user interface is, quite simply, plain Jane. It's not very flashy. In today's day in age I think of this as a good thing. It's right down to business. It has yellow tabs as title bars that don't span the full length of the window as a normal title bar would. Here are some images from Google for Haiku. I have a gut feeling they will evolve the UI once they get the underlying kernel/operating system working well.

The file system was designed and implemented very well. It uses BFS, a modern, 64-bit capable, case-sensitive, highly customized journaling file system. BFS has also been successfully implemented with the Linux kernel and is an installation option on some modern distributions of Linux. The Haiku file system layout is, in my opinion, more intuitive than any other OS. Both Windows and Linux seem very cryptic from the top of the file system hierarchy. Haiku is more easily interpreted by novices. If you install Haiku, have a gander for yourself.

Speaking of which, I might mention that the Haiku installer is really easy for a novice to use. I was dumbfounded on how easy it was to install. For a project that's still in the Alpha development phase, I have nothing but praise for where they stand right now. For anyone out there who's ever installed/reinstalled Windows, you're in for a real treat with Haiku. You will feel like your cheating!

The transition from a completely proprietary OS to an open source OS has not been exactly a walk in the park. They have had an ambitious team working since 2003 to get this off the ground for you and me to enjoy free of charge. So kudos to the Haiku development team. They have been replacing lines of code bit by bit, byte by byte to make sure it doesn't infringe upon any patents and complies with the MIT license. So believe it or not, the entire codebase of BeOS has been replaced with new code. It has also made some improvements and updates along the way.

For nerds like me, there are all kinds of goodies packed into this OS. The system monitor (or task manager for windows users) is phenomenal. It has a detailed display for everything from each program's CPU/memory usage to setting individual process priorities on a per thread basis. For anyone that uses computers for critical applications this is a godsend. For instance, if you're recording a podcast, you want all the software related to recording to have full priority. If you're a DJ at a club, you want your MP3 decoder to have full priority, not your damn anti-virus software that keeps popping up annoyingly.

Speaking of anti-virus software, you wont need it. Although Haiku is not a Unix-based OS, it's security model seems to have well written code that has been written from the ground up twice now. For now it also has security through obscurity, meaning it's not a malware target due to it's niche uptake.

There is actually still a LONG way to go to get this OS as user friendly as others, such as Linux Mint. Currently WiFi is not yet supported (not widely, at least), a plethora drivers are not yet available, the app selection is anemic, and even the OSs utility apps are not all completed. Flash is not currently supported. But Haiku is, nonetheless, showing lots of promise. Bugs and show-stoppers are to be expected in an alpha release, so there's no need to criticize Haiku over its shortcomings. I'm looking forward to seeing how things develop from here. Haiku has become one of my favorite niche operating systems.

Modern Digital Encryption: an Overview

(original post 5/7/2010)

Earlier I wrote about how to best avoid the dangers of surfing the web. Think of this as part two of my earlier blog post: Security on the Web. This time I'm going to focus on securing data on your computer, AKA your local machine. If your like me and love security-related topics, or watching paint dry, this article is for you.

Sometimes it is necessary to store information on your computer that could be considered sensitive information. If you were to secure paper records, such as the deed to your home, you would put it in a safe or bank deposit box. But how do you secure the private data residing on your computer's hard drive? Encryption! Encryption can be used to protect data "at rest", such as files on computers and storage devices (e.g. USB flash drives). In recent years there have been numerous reports of confidential data such as customers' personal records being exposed through loss or theft of laptops or backup drives. Encrypting such files at rest helps protect them should physical security measures fail.

Computer encryption is based on the science of cryptography, which has been used as long as humans have wanted to keep information secret. Although the history of cryptography is very interesting, I'll keep to the point. Encryption has come a long way since the ciphers of Julius Caesar. I'll point out the basic forms in modern use today.

Symmetric and public-key encryption

The first method is called symmetric-key encryption. This requires both a key and a password to decrypt the file. The key is used to unlock the ability to guess what the password is. Without the key, prying eyes would not even be given the opportunity to guess what the password is. As you can guess, there is no way of sending a key securely over a network, such as the Internet, without an additional layer of security. Otherwise the key itself would be pulled from the data stream while in transit. What this means is that you must copy the key to a storage device and physically carry that device over to each computer that you want to decrypt files from. In other words the sender and receiver must share the key in a secured way in advance.

The second method is called asymmetric-key encryption, AKA public-key encryption. This method solves the problem of the first method (sending a private key across a network) by involving two keys. It uses a key pair based on prime numbers of long length. This makes the system extremely secure, because there is essentially an infinite number of prime numbers available, meaning there are an infinite number of possibilities for keys (source).

The key pair that consists of a public key and a private key act exactly as their name implies. The public key goes out publicly. It is there for the taking for any computer on the network that wants it. Hiding within that public key is an algorithm directly related to your private key that can only be used by your your private key for decryption purposes. Essentially, the public key provides encryption for the private key. It's a dual-layer encryption operation. The reason this works is because the key used to encrypt a message is not the same as the key used to decrypt it. The keys are related mathematically, but the private key cannot be feasibly (in actual or projected practice) derived from the public key.

It's a tough concept for the average person to wrap their head around. So if you find that explanation confusing, go to this HowStuffWorks article for further clarification.

Modern banking institutions also use digital certificates, which establish trust from whom you want want to make a secure connection with. They use a third party certificate authority that verifies that they are who they say they are.

Here are a couple of good analogies pulled from Wikipedia:
An analogy to public-key encryption is that of a locked mailbox with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot; however, only the person who possesses the private key can open the mailbox and read the message.
An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the seal authenticates the sender.
And so it is the combination of these two that allow secure commerce over the Internet.

Security of key lengths

So just how secure are these algorithms? In the 1970's the United States developed an encryption standard called DES, which had a 56-bit encryption specification. This offered 70 quadrillion (70,000,000,000,000,000) possible combinations. This was considered more than adequate at the time. No one ever dreamed that computing power would advance to the point of making this standard obsolete. Well, guess what? That's exactly what happened! A modern consumer desktop computer could easily crack this in short order. It's too bad the U.S. government never heeded the implications predicted by Moore's Law around the same time period.

Necessarily, a new encryption standard was created: AES. This standard calls for 128, 192, or 256 bit length keys. The number of possible combinations increases exponentially in proportion to the key length. So a 128-bit key would have more than 300,000,000,000,000,000,000,000,000,000,000,000 key  combinations [source: CES Communications].

I should point out that there is a physical argument that a 128-bit symmetric key is secure against brute force attack. Let me back up a second and clarify. Many cryptographic systems have no (practical) known weaknesses and so the only way of "cracking" them is to use a "brute force attack" by trying all possible keys until the message can be decoded. The Von Neumann-Landauer Limit implied by the laws of physics sets a lower limit on the energy required to perform a computation, such as breaking an encryption cipher.

In order to simply flip through the possible values for a 128-bit symmetric key (ignoring doing the actual computing to check it) would require 2128 − 1 bit computations. If we assume that the calculation occurs near room temperature, ~25C, we can apply the Von Neumann-Landauer Limit to estimate the energy required as ~1018 joules, which is equivalent to consuming 30 gigawatts of power for one year. Whammy Blammy! The full actual computation—checking each key to see if you have found a solution—would consume many times this amount.

Note: this argument assumes that the register values are changed using conventional set and clear operations which inevitably generate entropy. It has been shown that computational hardware can be designed not to encounter this theoretical obstruction (see reversible computing), though no such computers are known to have been constructed.

The amount of time required to break a 128-bit key is also daunting. Each of the 2128(340,282,366,920,938,463,463,374,607,431,768,211,456 to be exact) possibilities must be checked. A device that could check a billion billion keys (1018) per second would still require about 1013 years to exhaust the key space. This is a thousand times longer than the age of the universe, which is about 13,000,000,000 (1.3×1010) years. Wowie Zowie!

Key length caveats

So why would you ever want to use more than 128-bit encryption? Ask the CIA. Their guidelines state that all information considered "Top Secret" is to be secured using the AES specification of no less than 192-bit encryption. An underlying assumption of brute-force computations is that the complete keyspace  is used to generate keys, something that relies on an effective random number generator, something that is still in the works.

For example, a number of systems that were originally thought to be impossible to crack by brute force have nevertheless been cracked in this way because the key space to search through was found to be much smaller than originally thought, due to a lack of entropy in their pseudorandom number generators.  These include Netscape's implementation of SSL (famously cracked by Ian Goldberg and David Wagner in 1995) and a Debian edition of OpenSSL discovered in 2008 to be flawed (source).

Using a truly random seed would fully utilize the entire keyspace, ensuring that AES keeps true to it's theoretical brute-force protection. The Swiss are working on such a system now using quantum cryptology in which key ciphers are seeded by a number generated using photons -- tiny, massless packets of light. Since this method uses physics instead of math to create the key used to encrypt the data, there's little chance it can be cracked using mathematics. This type of method looks extremely promising. For more information on this subject see Heisenburg's uncertainty principle and How Quantum Cryptology Works

Ironically this solution, quantum physics, may also present a challenge to the security of our data in the future. If quantum computing proves to propel computing power significantly ahead of the Moore's Law projection, it could present serious challenges to any encryption scheme. If any minor flaw is found in a cryptographic system, it effectively lowers the key length. As previously stated, this would be an exponential reduction rather than a direct linear reduction. Which means that a 128-bit key could possibly be cracked. Let's also not forget that there is a cosmological chance that any brute-force attack could discover the cipher in a short period of time due to pure dumb luck chance.

Because of these concerns, and the concerns of paranoid conspiracy theorists, most software applications that generate keys will go all the way up to 4096-bit encryption support. This is kinda like cutting your butter with a chainsaw. My personal opinion is that 256-bit encryption is just fine for the rest of our lifetimes. Besides, you're much more likely to get rubber-hosed or black-bagged. These are euphemisms for getting coerced or burglarized, respectively, for the possession of your cipher.

Believe it or not, there is actually a solution to these issues as well! Well, partially anyways. There is something called a hidden volume that offers plausible deniability. In countries such as Iran you can be targeted and prosecuted for encrypting your own data. As preposterous as that sounds, there are still many dictatorships around the world that smite free speech and treat you as a revolter if you even speak your opinion about something negative relating to your sovereign authority. Deniable encryption can offer things such as an encrypted decoy or even hide encrypted data altogether. Also, storing encrypted data on an Internet server that has no traceable connection to you is another preferred method.

Well, it's happened again. I've wrote too much and you've undoubtedly squandered another perfectly good block of time reading this. Signing out. 

Security on the Web

(original post 4/5/2010)

There are pervasive criminal organizations that use sophisticated operations via the Internet to exploit a weakness in the U.S. banking system to steal money. Once their highly sophisticated operation is streamlined, it is all but too easy for them to leave churches, school districts, local governments, small businesses, and even individuals destitude.

The large conglomerate U.S. banks, as it turns out, are using procedures for verification and transaction operations that were put into place decades ago. There are serious weakneses in the system that criminal hackers are exploiting without too much trouble. Over the last several weeks the FBI, the FDIC, and the Federal Reserve have all issued warnings about this. It has garnered the attention of several major newspaper publications such as USA Today and The Financial Times of London.

Who exactly is at risk? 

A major portion of those at risk goes to those that do online banking from compromised computers. But even if you never sign up to do online banking, you are still at risk of having your money fraudulently wired out of your personal or business accounts. Small to medium-sized businesses have the greatest level of risk, followed by individual consumer accounts.

What can you do to protect yourself?

There is no black and white answer to this question. It depends on how specifically you are targeted by a criminal. You could have a virus or trojan horse on your computer that has broad-based algorithms that catch usernames and passwords. Or you could have an ex-employee or acquintance that knows everything about your accounts and personal life. There are software-based keyloggers and hardware-based ones. There are unscrupulous individuals at airports and coffee shops catching usernames and passwords on public wi-fi hotspots. I will attempt to explain how to avoid all of these security problems.

Encryption on the web: an overview

Modern banks use asymmetric key encryption, AKA public key encryption, to establish a secure connection from a banking server/terminal to an individual computer. Once this connection is established, all transactions over the web are more or less completely secure, with almost zero chance of any evesdroppers extracting any useful data, assuming they didn't catch your username and password credentials. Modern protocols are SSL 3.0 and TLS 1.0. Any encryption that is 128 bits or higher is considered secure enough for online banking. If you want to find out if your web browser is currently on an encrypted connection to a website, simply look for https instead of http in the URL address bar. That's the bar at the top where the www.(website).com address is located. If you want to dig deeper and find out what the current grade of encryption is your browser can supply that information as well. In Firefox, for example, you would just hit CNTRL+I (or click Tools-> Page Info) and click on the security tab. As an example, I'm currently writing this on a 256-bit encrypted connection to Zoho office. For more information see the Howstuffworks encryption article.

Basics for guarding your log-in credentials

If possible, I recommend that you avoid doing sensitive financial transactions over a public wi-fi connection. The most secure way to connect to the internet is by a wired connection to a router, switch, or other local computer. That said, currently the most secure connection over wireless would be a WPA password-protected connection, where only a limited number of people have access to the wireless network password. There is another wireless protocol called WEP that is much less secure and is easily hacked. A no-password wi-fi setup is the proverbial wild wild west, where anyone with the most basic packet sniffing software can read any unencrypted information you send to and fro on the Internet. This brings me to my next point.

You MUST ensure that your connection to your bank is encrypted before even thinking about typing in your password. Most banks use a two step process now where you only type in your username on the first page, and then it brings you to an encrypted second page for you to type your password. If there is no https in the title bar (URL address bar), then anything you send will be in plain text. Many email systems are set up so that both your username and password are both sent through "plain text", meaining it's unencrypted and evil-doers can pick up your log-in credentials. Once they have your email log-in credentials they can reset your online banking account password and then can subsequently log in to your online bank. You must guard your email account with your life! I reccomend signing out of your email every time your not working on something, or you can alternately set up an email account that you use specifically for registering with your online banks. Many email providers offer a "secure access" option. I highly recommend using this at all times.

How to avoid phishing

Phishing simply refers to fake websites that try to get you to hand them your log-in credentials directly by masquerading as the real website it is trying to emulate. There have been several advances forward in the prevention of phishing, but it is still a major problem. The most common form of phishing involves a seemingly legitimate email that has links in it that take a user to a maliciously constructed website that may look like an exact replica of the real one. They commonly use similar domain names to add to the confusion. For instance, the URL may read www.bank0famerica.com instead of www.bankofamerica.com. Did you catch that one? The difference is between the the letter O and the number 0. Most people could never tell the difference. This is just one example and the possibilites are endless. So how to you know for sure if a website is the one you want to be at? I recommend carefully typing in the web address manually and then saving it as a bookmark so that you will never mistakingly type the wrong address in the future. If you get an email from your bank saying your statement is ready, don't click on the link provided in your email. Instead open up a separate window or tab and navigate to the website on your own.

There is a new security model that invokes a "SiteKey" for authentication. Originally, it was the banks that were feverishly trying to authenticate the users during the log-in process. It was later pointed out that it's just as important for the user to authenticate the bank before giving out their super-secret passwords. Originally, if the user wanted to authenticate the bank they would use a browsers advanced features to view the SSL server certificate and compare the certificate's "fingerprints" to the ones they had on file for that website. This process can still be used today and is extremely effective. But most users wouldn't bother with this process, even if it only takes a couple of seconds. Well, necessity is the mother of invention. Ergo the SiteKey was born. It's basically a combination of a unique picture and phrase that are both displayed on the banking website's page where the user must enter his or her passcode credentials. This is how it works: if the picture and/or phrase displayed are not the ones the user is expecting, a giant red flag goes off and the user (hopefully) does not enter their password without further investigation. It is a great step in the right direction towards reducing the occurences of successful phishing attacks.

It is important to note that phishing attacks are not limited to the internet. They can be done over the phone or even in person. If your bank calls you and wants you to reveal sensitive information to them, you need to hang up on them and call them back using a number from your statement, the bank's website, or even the phone book. But do not call the number listed on your caller ID!

Keystroke loggers

This is a big one. In fact, Keystroke logging attacks may be the single most hazardous attack that criminals use to procure your log-in credentials. The first type is the software-based Keystroke logger. This is the result of viruses, malware, and trojan horses targeting your computer's operating system to allow evil-doers to record each and every keystroke made on the keyboard. I won't get into the nitty gritty of all the different technical ways this is possible. Microsoft Windows is far and away the worst at combating these malicious software programs, and new viruses are discovered each and every day. There are over a million malicious software programs written for the Microsoft Windows platform. It is a constant battle of trying to find viruses in the wild, logging them into anti-virus programs, downloading the lists to individual machines, and endlessly scanning every machine for those viruses. By the time your antivirus program receives the update, there are new viruses in the wild that you are not protected from. Sound a bit like a dog chasing it's tail? The problem is worse than you can imagine. But should you lose hope?

The newspapers, magazines, and TV stations claim they have an answer to the problem. Their solution is that you should by a separate computer dedicated solely to sensitive information handling such as online banking, payroll, etc. On this computer you would not surf the Internet aimlessly and casually like you would on your normal machine. No email, no online chatting, no social networking. It's strictly down to business and nothing more. This machine should be configured to disallow scripts, videos, and/or images to load from the internet. Also, it must have a firewall that is specially crafted to block all unused ports and services. It is, in my opinion, a waste of resources, space, and money.

But why not install a second hard drive with a separate operating system on it? If you really wanted to save money you (or your closest geeky friend) could repartition some free space on your current hard drive to make room for another operating system. You can use one of any number of free operating systems that are much more secure than Windows. In fact I wrote a piece earlier on why I use Linux Mint as my operating system of choice when doing any sensitive transactions on the web. But there are many other free alternatives out there that are just as suitable. If you absolutely insist on using MS Windows, do not install any programs that are not needed to carry out the transactions you need to accomplish, only connect to the internet when you need to, run antivirus programs regularly, and use the latest version of Firefox or Opera (arguably the two most secure) web browsers.

There are also hardware-based keystroke loggers. They are most commonly manifested as a device plugged inline between a computer keyboard and a computer. They can also be built into a keyboard. There is an old saying that any computer can be compromised if physical access to the machine is possible. This is just one example that ringing true. These attacks are not usually broad-based attacks, but are specifically implemented to gain information from a single person or company. In other words, Espionage.

Some institutions are now using authentication by clicking numbers or letters on-screen to mitigate these types of attacks. 

An ounce of prevention...

There are several layers of prevention that can be used to avoid becoming a victim of a phishing attack. The chances of someone gleaning your log-in credentials are exponentially reduced with each step, so I recommend you take all of them.

First of all, use bookmarks. They will ease the temptation of clicking on links in your email and also prevent you from accidentally misspelling the web address.

Second, if your bank supports SiteKey or similar mutual authentication procedures, use them. This system is one of the great triumphs against phishers.

Third, if you run Microsoft Windows, run antivirus software once daily or after surfing the Internet if you don't use your computer daily. If you run any other operating system you don't necessarily have to run antivirus software, but make sure you stay abreast of security news regarding that particular operating system.

Also, there is a dead-simple, yet extremely effective trick I learned that prevents you from becoming the low-hanging fruit for malicious keylogging programs. You simply type your password out of order. For example if your password is 12345678, you would type 5678, then click the mouse to move the cursor back to the beginning and finish typing 1234. If there was a keystroke logging device it would read the log file as 56781234, which is the wrong password. The criminal might be able to figure it out eventually, but they wouldn't waste their time if there was lots of other low-hanging fruit out there. Remember also that if you use your mouse to click on bookmarks instead of typing in a web address, there is a lesser chance that a criminal can figure out which site you are trying to log into.

Wiring transactions

Bank-to-bank wire transfer is considered one of the safest international payment methods, assuming you wire to the intended individual. However, if you wire money to the wrong person, it can be nearly impossible to recall the funds. Once a criminal receives a wire transfer, they have a high rate of success making away with the loot.

I'll give an example of the precautions I normally take involving a wire transfer. When I opened my checking account, I instructed the bank to do a double authentication for wire transfers. This is very common among small business owners. What this means is I can't wire any money out of my bank account without the bank actually calling me and asking me questions that prove my identity and verifying the amount and destination of the wire. It is critical that you get the destination right and also make sure that it is a legitimate enterprise. When I had to wire my life savings to an escrow account to buy my first home, I took many steps making sure the company I was wiring my money to was legit. For example, I checked the BBB (Better Business Bureau), did a phone book search to verify the physical address of the business, did a Google search to find their website, and called the escrow agent and personally verified the routing and account numbers over the phone. You NEVER can be too careful when wiring money out of your bank account. For some examples of what NOT to do head over to this article. 

Special considerations for small businesses

In the United States, if a consumer account is compromised, the bank usually takes the loss. However, if you own your own business and your business bank account is compromised, the law (specifically the Uniform Commercial Code) can require that the business owner prove that they took due care in safeguarding information and access relating to that account. You may find yourself in a corner defending your due care in preventing the losses suffered in your bank account. Therefore, it is imperative that you take at minimum the preventative steps mentioned in this article. If you must write down your password, you have to keep that piece of paper under lock and key.

If you are going to buy a separate computer for all of your sensitive financial transactions, I would have an IT professional set it up for you for that purporse. You will need to disable all drives and ports, configure the firewall properly, configure the browser properly, uninstall all crapware applications, and keep the computer itself in a locked room or cabinet.  

Stay tuned for more...

Making the Switch to Linux

(original post 01/17/2010)

This blog/article is meant to inform the general public about open source software, but is more heavily geared specifically toward my experiences and opinions relating to Linux-based desktop operating systems and, more specifically, Linux Mint.

I won't go into too much detail about my history with computers, but I had learned on and exclusively used Microsoft Windows as my computing platform for at least a decade. I learned all of the ins, outs and idiosyncrasies of it in painstaking detail. My opinion of Windows XP when it debuted, was that it was powerful, flexible, and adequately secure. But as the Internet grew up, innumerable problems started to arise. That's what lead me to search for something else, and what lead me to, ultimately, start using Linux.

Many things I took as standard operating procedure, were actually just exclusive to Windows. Like forced restarts, for example. I remember one time I was working on some things and the system decided to restart itself in the middle of my work. I couldn't save all the documents in time before it shutdown. Every time, it seems, I update the operating system, it constantly nags me to restart. Install a new application? Restart. Uninstall an application? Restart. File system error? Restart. Persistent dialog box won't go away? Re... well, you get the idea. And sometimes I will reboot after a Microsoft update, only to have the system tell me it needs another update. Then when I install it, it tells me I need to reboot again!

Speaking of booting, why is it that with every passing week of regular use, Windows takes longer and longer to boot. The constant rebooting wouldn't be so bad if it booted in 45 sec. like it did out of the factory. But it does get worse. In my experience after about six months I find it takes at least three to five times as long to boot. I can't blame this entirely on Microsoft, but the problem seems to only occur on their operating system so what else can I say.

It's not just the boot performance that suffers over time, but other aspects as well. Many programs load a small script at each startup and run in the background taking up precious disk space, RAM, and computing power. Not to mention they can also be a back door for an exploitative malware program.

I'm somewhat of a go-to guy for everyone and their dog's computer-related problems (and other problems for that matter!). Many times people will come to me with a "broken" machine. But it usually turns out that they were not maintained at all. By this I mean registry clean up, hard drive defragmentation, virus/malware scans, and, especially, startup scripts/applications. These computers had simply used up all of their RAM and were resorting to "virtual" RAM at a terrible performance penalty, rendering their computers unusable.

To counter this "Windows degradation" I decided to just wipe my hard drive clean and reinstall Windows every 6 months or so. This was not only to maintain peak performance, but to eradicate trojan and rootkit malware as well.

Microsoft should, in my opinion, have made Windows secure in the first place. But they failed MISERABLY at securing the desktop and, until recently, relied upon third party vendors to plug in the holes. So what you have, ultimately, is a company with closed-source binary code that has a plethora of both known and constantly emerging security flaws telling you that you can rely on them to patch the code for you sometime in the future. It's like having someone with a known high level of incompetence promising they know how to pack your parachute.

There are well over a million viruses circulating that target the Windows platform. We live in an age where online transactions are a major part of normal business operations. Security is a big deal. I personally took every precaution (or so i thought) and still picked up viruses (virii?) on my Windows machines. This is what lead me to search for a more secure operating system. Here are a couple of articles that may be relevant:

I was excited when the tech world was abuzz with Windows Vista before it's release. I was happy that Microsoft had finally gotten their act together and was working to put out a world class operating system for the masses. Or so I thought. When it finally came out, I gave it a whirl myself. I was underwhelmed, to say the least. I was actually accepting of their User Access Control scheme, which most people considered annoying and tiresome. But the hardware requirements for Vista are appalling! They not only force you to upgrade all their software packages (by pulling support for the older ones)... they force you to upgrade your hardware too! All of this just to try and get the same performance you used to get before. Windows uses their monopoly to push their latest operating system, requiring new hardware whether the consumer wants it or not. And the computer manufacturers encourage this behavior so they can keep selling more machines. Which loops right back to Microsoft maintaining it's monopoly stronghold. It is a vicious cycle of greed that seems to be a perpetual motion machine so far.

When I bought a laptop that had Vista on it, I read the End User License Agreement (EULA) before accepting it. It had some pretty disagreeable stuff in there. Especially for people like me who re-install Windows on a regular basis due to their shoddy product degrading itself over time.

Vista also has an increased level of Digital Rights Management, another tech industry idea that I am vehemently opposed against. Here is a snippet from a Wikipedia entry on the subject:

Windows Vista supports additional forms of digital rights management restrictions. One aspect of this is the Protected Video Path, which is designed so that "premium content" from HD DVD or Blu-ray Discs may mandate that the connections between PC components be encrypted. Depending on what the content demands, the devices may not pass premium content over non-encrypted outputs, or they must artificially degrade the quality of the signal on such outputs or not display it at all. Drivers for such hardware must be approved by Microsoft; a revocation mechanism is also included which allows Microsoft to disable drivers of devices in end-user PCs over the Internet.[107] Peter Gutmann, security researcher and author of the open source cryptlib library, claims that these mechanisms violate fundamental rights of the user (such as fair use), unnecessarily increase the cost of hardware, and make systems less reliable (the "tilt bit" being a particular worry; if triggered, the entire graphic subsystem performs a reset) and vulnerable to denial-of-service attacks.[108] However despite several requests[109] for evidence supporting such claims Peter Gutman has never supported his claims with any researched evidence.

While I could keep ranting about how draconian Windows is, it's time for me to switch gears and talk about my most used operating system: Linux.

I found Linux out of a quest for a more secure operating system. System security was (and still is) my number one priority. I do trading, banking, purchasing and so forth over the Internet. I also keep records and personal information in "the cloud", so security is of paramount importance to me. I have seen other people's lives turned upside down because of various attacks that criminals use in cyberspace. I try to stay informed about security issues on the Internet. 

What I found was that, basically, Linux is more secure because of three primary things:
  1. A clear division between users and administrators (whereas Windows is built with the assumption that the user will be the administrator). If you don't have the correct permission, then you cannot, for example, access a particular piece of hardware. Additionally, privacy can be ensured because the files on the PC are owned by individual users, who can permit or deny others access to those files;
  2. It lacks hooks in kernelspace that Microsoft built in to give its additional products a performance edge over those of competitors (which make Windows as a whole vulnerable to a user's actions, even if the user doesn't have administrative privileges), and finally;
  3. Because of code transparency. Because code is published rather than hidden, it is publicly scrutinized and patched BEFORE it is released into production. 
Some people might also add security through obscurity, since only about 1% of the computing population uses Linux as a desktop consumer operating system. Linux is more secure, but make no mistake, this is hardly because of obscurity. The majority of publicly accessible webservers in use today are running Linux. Those are targets with public IP addresses and an always-on connection -- prime targets for worms -- yet they are the least commonly infected, with percentages well below those of Microsoft's security-optimized servers. Wikipedia says this:

The Linux operating system, Unix and other Unix-like computer operating systems are generally regarded as well-protected, though not immune, from computer viruses, compared to Microsoft Windows. There has not yet been a single widespread Linux malware threat of the type that Microsoft Windows software constantly faces; this is commonly attributed to the malware's lack of root access and fast updates to most Linux vulnerabilities. (src)

There are entire books written on Linux security, so I won't go into any further detail. But anyone who does the most rudimentary research will find the Linux is far more secure than Windows. Here are a couple of commentaries worth reading on the subject:

So after picking a distribution, I installed Linux for the first time. I initially found it to be a headache getting some of the hardware to work properly, but after a short amount of googling everything came together nicely. I switched distributions to a version of Linux called Linux Mint. It turned out to be a pleasant surprise. Everything worked more or less perfectly out of the box. As a side effect, I found other various attributes and virtues of Linux. Here is the list off the top of my head:
  • Speed.
There was a noticeable performance increase of the system. Boot times were quite expeditious. I had a hunch that it was not as much of a resource hog either. I checked the System Monitor (Linux's version of Task Manager) and sure enough, it was using far less RAM idling at 188 MB vs. Vista's 700+ MB.  In my tests, it has had faster file transfer times than Vista. Linux supports USB 3.0 already, something Vista and 7 can't claim yet (please correct me if I'm wrong on that).
  • Stability. Reliability. 
In my experience Linux simply does not crash. Period. I have been using Linux for more than two years now and can't remember a single time when an application took down the entire operating system. That used to happen to me at least once a week in Windows. No frozen mouse cursors. No error dialog boxes that cannot be resolved without a reboot. It was refreshing to find that a system can work so well in this manner.
  • Applications. 
The version of Linux that I use, Linux Mint, comes standard with a graphics editing program (that has been put on par with Adobe's Photoshop by some people), a softphone VoIP client, IRC chat client, dictionary, PDF viewer, OpenOffice.org -- a full office suite (fully compatible with Microsoft Office 2007 and earlier) that supports 110 languages -- and a fully capable media player. As a side note, OpenOffice.org has been found to be able to open files of older versions of Microsoft Office and damaged files that newer versions of Microsoft Office itself cannot open. Thousands of additional applications are available for the cost of $0.00 USD. A perfect fit for a cheapskate like me. Almost every piece of software I use in Linux is open source. What this means is that it is not only free of charge, but that it is arguably more secure. It also has a nice philosophical undertone akin to free speech. The source code is available for anyone to view and improve upon, a condition that open source advocates view as necessary and vital for technological and societal advancement. Linux is a platform dedicated, almost exclusively it seems, to open source software. There is a great 8 page chapter by Kier Thomas on the history and philosophy of open source software that I highly recommend reading . I found it very interesting. It can be found here:
  • Inherent Malware Protection.
I have mentioned the security aspect already, but did I tell you that you no longer have to do anti-virus, anti-spyware, anti-trojan, and anti-rootkit scans? That's right. There are very few, if any, active viruses in the wild that are infecting Linux boxes. They do crop up every now and again but in most cases they only affect those administrators who changed the permissions from the default settings and/or rely on someone having physical access to the computer to plant the malware. In addition, security holes are patched promptly and updates are issued immediately, not the second Tuesday of each month or whatever Microsoft does. No operating system is completely invincible, but all in all, it's a very efficient system. Unfortunately, I still use Windows from time to time so I'm still tied to scanning the computer for 2 hours (seriously) after surfing the Internet.
  • Updates. 
The updating system in Linux Mint (a specific version of Linux) is far, far superior to anything I have ever witnessed prior. It allows you to prioritize updates according to what level they have been tested. It issues critical updates immediately. And best of all, it updates not only the operating system, but all of the installed software on the computer as well! Eat that Microsoft and Apple. Okay, I'll settle down before I start to sound like a fanboy. Here is a quote I pulled from Michael Horowitz, a syndicated "defensive computing" CNET blogger/analyst:

Linux is better at self updating than either Windows or OS X. This is critically important because many malware infections result from exploiting bugs in installed software. Apple and Microsoft update their own software, period. Microsoft's Windows Update is fine, but it doesn't go far enough. Keeping all the software up to date on a Windows computer is nearly impossible. It's the Wild West, with each software vendor using a different approach to maintaining their software. Applying bug fixes across the board challenges techies and is impossible for non-techies. I'd go so far as to say that keeping software updated is the biggest problem Windows users have, even though many don't know it.

Yes, Macs are immune to most of the malware, but there's still the issue of applying patches to all the installed software. In a commerical software environment, we'll never see bug fixes from a single source. Things are drastically different in Linux land. Each distribution has a software cocoon called a repository. Software in the repository comes from hundreds of different sources and is tested to be compatible with the Linux distribution in question. Each update package is tested to make sure that it will integrate smoothly and not break the system before being released into the wild. I'd be curious to know how many people have experienced a Windows update completely breaking the OS, because I've had to reformat and reinstall on a hard drive at least 3 times due solely to Windows updates breaking things.

Windows, in contrast, is an absolute security disaster for non-techies. We start with inconsistent and too-often manual procedures for installing bug fixes from dozens of different vendors. Then we add the huge amount of malware that targets Windows and top it all off with the hassle of maintaining at least one, if not multiple anti-malware programs.
  • Hardware Requirements.
Do an experiment. Take your oldest laptop or desktop computer -- you know, the one in the basement with a caked-on layer of dust covering it -- and try putting on the latest Microsoft operating system on it and see what happens. Uh oh! That's not gonna work even using witchcraft and sorcery. Now try putting on the latest version of a mainstream Linux distribution on it and Presto! You've got a system that likely works just as good, maybe even better than it ever has before. Older peripherals generally have better support under Linux as well. All those peripherals that would be in the landfill long ago can have a breath of new life put back into them. Linux generally gets new hardware drivers after Windows, but even that landscape is changing with more and more manufacturers opening up their specs and source code for hardware and drivers. Many manufacturers are writing the source code for Linux drivers themselves now and releasing it concurrently alongside the Windows drivers.
  • Support.
I have never had to call in to tech support for Linux. Every question I've ever had has been answered by googling the Internet, the Linux community (forums), and sometimes the actual authors of the software itself. There are also paid support systems in place for those who need someone on the other line when questions need answered. Also it works the other way too. I would rather support someone that was using Linux Mint than any other operating system.
  • System Maintenance.
How does this sound: an operating system that doesn't need to be defragged. Ever. How about never having to do registry cleanup utilities? How about not having to constantly monitor and modify startup application policies? Firewall policies are a cinch with either Gufw or Firestarter, both of which are free programs. It literally takes one minute to set up the firewall and doesn't constantly nag you. Also, as previously mentioned, no anti-whatever scans.
  • Being Different.
Okay, so I can't really count this as an objective benefit.
  • Cost.
It's free. 'Nuff said. Seriously though, I have come to enjoy Linux so much over the last two years that I now give back to the community both financially and through beta testing and bug reporting. Personally, I donate $5 to linuxmint.com for every version of Linux Mint I install on each computer. I also donate to The Linux Foundation whenever I can for upstream development and improvement. So although I may be paying for my software just like in a Microsoft ecosystem, there is still a major difference. The difference is that I choose to donate. If money gets tight I can choose to halt my donations and still get the same free software updates.
  • Participation.
What I love about Linux Mint is the democratic philosophy it's based on. For example, the lead developer decided that it was best for the community to decide which wallpaper the operating system should come with. He held a vote on the website and directly used feedback from the users to make his decisions for him. If I want a new feature added to Linux Mint, all I have to do is email the lead developer my suggestion and he will consider that feature for integration in a future release. It is truly unparalleled when you compare it to Microsoft and Apple.
  • Flexibility.
How about a pocket watch that runs on Linux? Sound absurd? Linux can and does run on everything from plug computers to mainframes. Who uses Linux? Short answer: governments, schools, Fortune 500 companies, individual users, stock market back-end trade executing mainframes, email systems, Internet servers... In fact, the majority of computers that make the Internet work run Linux (with Al Gore's help, of course :-). Linux has been a very strong player in the area of virtualization and the optimization of hardware. Linux is also completely scalable. The creator of Linux, Linus Torvalds, said that flexibility is Linux's biggest strength. Also, the operating system is more customizable than any version of Windows that I have played with. In my opinion, open source is always conducive to flexibility. This is what Torvalds had to say about it:
I think the real strength of Linux is not in any particular area, but in the flexibility. For example, you mention virtualization, and in some ways that's a really excellent example, because it's not only an example of something where Linux is a fairly strong player, but more tellingly, it's an example where there are actually many different approaches, and there is no one-size-fits-all "One True Virtualization" model....

...I mention that as a strong point of open source! Why? Because it actually is a great example of what open source results in: one person's (or company's) particular interests don't end up being dominant. The fact that I personally think that virtualization isn't all that exciting means next to nothing.

This is actually the biggest strength of Linux. When you buy an OS from Microsoft, not only you can't fix it, but it has had years of being skewed by one single entity's sense of the market. It doesn't matter how competent Microsoft -- or any individual company--is, it's going to reflect that fact. In contrast, look at where Linux is used. Everything from cell phones and other small embedded computers that people wouldn't even think of as computers, to the bulk of the biggest machines on the supercomputer Top-500 list. That is flexibility. And it stems directly from the fact that anybody who is interested can participate in the development, and no single entity ends up being in control of where it all goes.

And what does that then lead to? Linux ends up being very good at a lot of different things, and rather well-rounded in general.
  • Vendor Lock-in. (actually, a lack thereof)
Vendor lock-in, also known as proprietary lock-in, or customer lock-in, makes a customer dependent on a vendor for products and services, unable to use another vendor without substantial switching costs. Lock-in costs which create barriers to market entry may result in antitrust action against a monopoly. Companies like Microsoft and Apple have been practicing vendor lock-in since their inception. Open source software prevents a vendor lock-in occurrence from happening by its very definition. Read what Wikipedia has to say about vendor lock-in here:
  • Diversity.
It is common knowledge that genetic diversity in a population of living creatures is desirable because it reduces the likelihood that an illness -- such as a virus -- will completely wipe out every animal or plant. Many people, however, don't realize that a computer virus works just like it does in a biological setting. Operating system diversity is important for the same reason. So my concern is that Microsoft's monopoly isn't just illegal, it's a major security concern. For example, experts estimate that the Mydoom worm infected approximately a quarter-million computers in a single day in January 2004. Back in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a worm called Storm appeared -- by October, experts believed up to 50 million computers were infected. Each one of these cost companies billions of dollars in lost productivity. Read this:
  • Longevity.
When file formats have open standards, they tend to stick around longer than proprietary formats. Take the ODF format, for example. One objective of open formats like OpenDocument is to guarantee long-term access to data without legal or technical barriers, and some governments have come to view open formats as a public policy issue. Several governments around the world have introduced policies of partial or complete adoption. What this means varies from case to case; in some cases, it means that the ODF standard has a national standard identifier; in some cases, it means that the ODF standard is permitted to be used where national regulation says that non-proprietary formats must be used, and in still other cases, it means that some government body has actually decided that ODF will be used in some specific context. Open standards apply to operating systems like Linux as well. As long as there is programmer interest in a platform, no one person or company can "pull the plug" on it. While it is common opinion that Microsoft will be around for a while, it was also common opinion in early 1912 that the Titanic was unsinkable.


Every operating system has it's headaches from time to time. And Linux is no different. But I find the Linux Mint experience to be more enjoyable overall than any other, with the added benefit of a bullet-proof security model to boot. If you consider yourself technically savvy, you owe it to yourself to be open minded and give it a try. It won't cost you anything other than your time. If you are not a techno-wiz, and you find the idea of formatting hard drives and installing operating systems too daunting for your taste, you can have an expert install it for you for free! That's right. Just search for a Linux User Group (LUG) or event near you. People there would be happy to help you out to your heart's content. All you have to do is show an interest in Linux and if you've read this far, I'd say you qualify!