[pjmlp]

Windows security is pretty good when running as a normal user and having UAC turned on on its full level and binaries validation.

Yes, those things should be turned on by default. It is hard to educate generations used to work as root.

When people discuss UNIX security they tend to forget that worms were first targeted at them.

Also data matters more than system binaries, so it is enough to p0wn an application and suddenly $HOME is open to the world.

Then new GNU/Linux generations also seem very found of "curl ... | sh". Again opening $HOME to the world.

I also doubt everyone reads their emacs, vi, ..... packages. Again opening $HOME to the world.

UNIX does have a better security model configuration out of the box, but is just as unsafe for the regular users that just dump stuff into their PCs.

[pdonis]

> Windows security is pretty good when running as a normal user and having UAC turned on on its full level and binaries validation.

Do you still need to run anti-virus software in this configuration?

> UNIX does have a better security model configuration out of the box, but is just as unsafe for the regular users that just dump stuff into their PCs

Again, I agree, if a user wants to hose their system, Unix won't prevent them. But anti-virus software won't prevent them either.

My point is, what about the user that doesn't want to hose their system? On Linux, it's very simple: use your package manager to install software, and don't run anything that wasn't installed that way.

[pjmlp]

You don't need an anti-virus if you are only running software from trusted sources, just like in Linux.

Just that trusted sources in Windows means not installing pirated software or that thing a friend gave because it was so cool. Or going to shady internet sites.

All things that will hose a Linux system as well.

Linux package managers are nice until one needs something it isn't there, like it happens to most average users that don't care about about FOSS and forcing themselves to alternatives.

And I never saw a UNIX that would allow to prevent users to install software locally, as Windows does with Active Directory group policies. Although I bet there are some third party commercial offerings for that.

Outside Windows I only saw that in mainframes.

[pdonis]

> You don't need an anti-virus if you are only running software from trusted sources

What does "trusted sources" mean in the Windows world? Microsoft itself has shipped virus-infected CD-ROMs in the past.

> Linux package managers are nice until one needs something it isn't there

My sense is that, while this can happen, it's less likely to happen with the major Linux distros than it is with Windows. Major distros have tons of software in their package managers.

> I never saw a UNIX that would allow to prevent users to install software locally, as Windows does with Active Directory group policies

Um, you do realize that all it takes is not putting the user in the "sudoers" or "wheel" group (depending on the distro), right? This is routinely done in settings where only sysadmins are allowed to install software, such as universities. You certainly don't need anything as heavyweight as Active Directory group policies.

[pjmlp]

> What does "trusted sources" mean in the Windows world? Microsoft itself has shipped virus-infected CD-ROMs in the past.

Do you also read OpenSSH and Bash source code looking for security exploits?

> My sense is that, while this can happen, it's less likely to happen with the major Linux distros than it is with Windows. Major distros have tons of software in their package managers.

Quantity != Software X that user won't do without.

> Um, you do realize that all it takes is not putting the user in the "sudoers" or "wheel" group (depending on the distro), right? This is routinely done in settings where only sysadmins are allowed to install software, such as universities. You certainly don't need anything as heavyweight as Active Directory group policies.

I can install whatever software I want under $HOME, there is nothing preventing me to do that.

[pdonis]

> Do you also read OpenSSH and Bash source code looking for security exploits?

I don't personally, no. But I'm confident that there are experts doing so, and that when they find an issue, it is publicized and fixed quickly, because it's considered an extraordinary and urgent event, and allowing it to continue unfixed would be unacceptable. When MS shipped virus-infected CD-ROMs, nobody thought it was unacceptable, or even abnormal.

However, if you're confident enough in Windows' security features to run without anti-virus software, that's fine. My sense is that the vast majority of Windows users are not. But the vast majority of Linux users are.

> Quantity != Software X that user won't do without.

You're going to have to give specific examples, because I just don't see this as a significant issue that users who don't want to hose their systems have to deal with on Linux. I've never come across any software I needed as an ordinary user that I couldn't find in my Linux distro's package manager. (As a programmer, I have, but that's a different case.)

> I can install whatever software I want under $HOME

Which comes under the heading of users who want to hose their systems. If you don't want to hose your system, just don't do that.

(As an aside, I think you can actually lock down executable permissions in $HOME with SELinux. But I haven't tried it myself.)