Why I Run UNIX

Brian M. Clapper, bmc @ clapper . org

Introduction

I am a hardcore, long-time Unix user; I first used a version of the Unix operating system in 1985. (It was AT&T's System V Release 2, for what it's worth.) This web site currently resides on a server running the Ubuntu distribution of Linux. The servers on the internal clapper.org network run FreeBSD. My Apple Macbook Pro runs Mac OS X, which, under its slick, shiny UI, is based on FreeBSD. My previous laptop ran Fedora Core Linux. My employer-supplied development box runs Ubuntu. (For what it's worth, I'm registered Linux user #14,359 at http://counter.li.org/.) I wouldn't dream of running NT, Windows 2000 or Windows 2003 on one of my network's servers. This document explains why.

Why UNIX?

Why do I insist on running a UNIX clone, instead of one of Microsoft's popular operating systems? For starters, I simply like UNIX better than I like Microsoft's products. I've been using and programming on UNIX systems for more than 16 years now; it suits the way I work. But I also believe there are other good reasons to prefer UNIX over Microsoft's operating system products, especially on servers.

Don't get me wrong: I'm not saying you should never use a Microsoft product, or that all software that runs on Windows is crap. Despite its bloat, I happen to think Microsoft Word is a decent word-processor (though its flaws become apparent when you try to use it for desktop publishing). There's a reason that Microsoft PowerPoint has become the standard for presentations: It does the job pretty well, and it's relatively easy to use. A lot of UNIX adherents must think these products are okay, too, or there'd be no market at all for Sun's StarOffice suite or its open source counterpart, OpenOffice, which basically attempt to clone Microsoft Office for UNIX-like systems. Microsoft's Visio, the product of an acquired company, is a terrific drawing package; even though UNIX-based drawing packages like Tgif, xfig, Dia, and especially Kivio are starting to approach Visio in quality and features, Visio still has the edge. And, of course, bloat certainly isn't confined to Windows platforms. Emacs, my editor of choice, has been somewhat hefty for awhile, and it gets larger with every new release. And Netscape has always been a memory hog, but version 7 takes enough RAM, on any platform, to make a memory chip maker smile.

I also don't think that UNIX systems are necessarily appropriate for everyone. For instance, I would not install a UNIX clone on my father's PC. For one thing, it doesn't run the applications he needs. (That's changing, though; see the sidebar.) Furthermore, my father is not a programmer or a software tinkerer; the extra power, flexibility and complexity of a UNIX system would not only be lost on him, it would hinder him far more than it would help him (and I'd be bound to get a lot more calls for help). For the average user of off-the-shelf software, a UNIX-based system may not be a good choice. (On the other hand, there is a growing contingent of happy UNIX users who aren't hackers or programmers, as a letter from Neil Lucock demonstrates.)

But for a programmer, like myself, or a more technically savvy user who wants fewer interaction constraints, UNIX is a perfect fit. And for a server environment, I contend that UNIX is far superior to anything Redmond puts out.

Here's why.

Windows is as much about marketing as technical quality.

I'm not saying Microsoft's operating systems don't work or that won't do the job for you. However, Microsoft is an enormous, well-capitalized company with the apparent goal of pushing their operating system products into all the world's computers. They have every incentive to squelch competing technology, whether commercial or open source, and they have an enormous marketing and advertising budget with which to do it. That advertising budget appears to be employed in two directions:

1. boosting Microsoft's products, and
2. spreading often-unfounded FUD (Fear, Uncertainty and Doubt) about competing technologies.

The popularity of Microsoft's products has at least as much to do with the company's ubiquitous and savvy marketing as it does with the technical quality of their product line.

UNIX is seasoned.

It's been around, in one form or another, for a long time. When you run a UNIX system, you benefit from years of development, tuning, enhancement, and bug fixes. This isn't to say UNIX systems are bug-free; they're not. But years of seasoning, combined with continual use in critical systems, have made UNIX systems more reliable and more stable than their Microsoft counterparts.

X Windows is superior in many ways to the Windows look-and-feel.

Historically, UNIX hasn't been known for its intensely rich graphical experience (X Windows notwithstanding). However, that complaint has lately become a bit of a bum wrap:

1. X Windows is inherently network-aware, a feature that makes using remote machine resources much easier. You can log into a remote UNIX box over the network, fire up a graphics application, and tell it to display its output on your machine, allowing you to interact with the remote graphics application using your keyboard and mouse.
2. Under Microsoft Windows-based systems, the application itself is responsible for responding to resize, close, move, and minimize actions. Have you ever tried to minimize or move a Windows application that's pending on a network operation? Good luck; the application won't move, or even repaint, until it stops waiting for the network and starts looking at GUI events again. That kind of behavior doesn't happen under X, because window management isn't handled by the application itself. Instead, under X, window management is performed by a separate application, the window manager. As a result, when an application hangs under X, it's always possible to minimize it or move it out of the way.
3. X supports multiple window managers. The window manager is responsible for window decoration, window operations, virtual desktop management, and a host of other non-application behavior. In many ways, the choice of which window manager to use has a fundamental effect on the look and feel of your X desktop. In the past, X supported a bunch of rather ugly window managers, so you basically had to choose among extremely minimalist look and feel GUIs. However, Motif and OpenLook sought to change all that, with some success. Since then, Vendors and freeware enthusiasts alike have made great strides in X usability lately. In addition to the highly useful CDE (shipped by default with Solaris, HP/UX, and other commercial UNIX systems), there's been a building boom in window managers lately. KDE, AfterStep, fvwm, Enlightenment, Gnome, GNUStep -- there are now loads of slick window managers available for X. There are some third-party Explorer-replacements for Windows, such as LiteStep. However, unlike X windows managers, it's more difficult to switch from one look-and-feel to another on Windows--and, no matter what, you'll usually end up rebooting.

UNIX can be stripped down fairly easily.

This is a welcome thing for Internet servers, as it allows you to remove dangerous, insecure services and allows you to disable bloated services that just aren't necessary. For example, while X Windows adds a wonderful graphical component to a UNIX system, it isn't integral to the operating system; UNIX runs just fine without X. Just try administering an NT, Windows 2000 or Windows 2003 box without immersing yourself in Microsoft's memory-thirsty intensely rich graphical experience.

The ability to strip down the operating system is especially useful when you're concerned about security. When deploying a server that is accessible from the Internet, it's critical to disable unnecessary services; doing so is much easier with UNIX than with Windows.

UNIX can easily be administered remotely.

UNIX was originally designed as a true multiuser operating system; it was designed to run on computers used by lots of different people, not just on a desktop used by one person. When networking came along, UNIX naturally supported multiple people remotely logging into a single machine. This situation didn't change when UNIX moved to the desktop; it's still possible to log remotely into a PC running UNIX. Better yet, since all UNIX systems provide ways to administer the system from a character-based terminal, it's possible to perform almost all administration tasks remotely -- including, in many cases, rebooting the machine when necessary. Even if you prefer to use the graphical UNIX administration tools, you can run those remotely, as well, simply by telling them to use your display, over the network.

It is also possible to administer Windows remotely. Third-party tools like VNC make it possible to connect to remote Windows systems. Plus, most Windows 2000 and 2003 systems run Microsoft's Terminal Services, which is a more efficient way to run a remote graphical console on a Windows machine. There are even UNIX tools like rdesktop that allow a UNIX X-Windows user to connect to a remote Windows system that is running Terminal Services.) However, even though newer versions of Terminal Services boast that they're more efficient over low bandwidth, the protocol must still pass enough information over the network to support a remote graphical console. In addition, there are A remote SSH command-line shell consumes far less network bandwidth, and is the choice for many UNIX system administrators who are responsible for administering remote systems. But that option is not available on Windows systems. It's possible to create remote command-line shells on Windows systems; tool suites like Cygwin make doing so trivial. But it is still not possible to effectively administer a Windows machine solely from a command-line.

UNIX typically costs less.

Microsoft charges a significant amount of money for Windows server software.

• Windows NT Server is officially retired (as of July, 2003), but when it was an active product, Microsoft charged $1,619.00 for a 25-client license.
• Windows 2000, essentially a better and more stable version of NT, starts at $1,199 for a 10-client license.
• Windows 2003 starts at $999 for a 5-client license; like Windows 2000, the 10-client license is $1,1999. A 25-client license will set you back $3,999.

Prices were current at the time this document was last updated. And yes, you did read that correctly: Windows server licenses restrict the number of clients that can simultaneously connect to the server.

By contrast, you can get one of several UNIX-based operating systems for free. FreeBSD, NetBSD and OpenBSD are all based on the time-tested 4.4BSD Lite distribution, and all run on more than just the Intel platform. A large (and growing) number of Linux distributions are available and, like the BSDs, Linux is continually being ported to platforms other than Intel. If you have the time and patience, you can download any of them from the Internet, without parting with a single cent of hard-earned cash. Or, for convenience, you can purchase a CD containing the latest version of whichever one you want. For very little money, you get a full-blown, high-quality operating system that:

• contains no licensing restrictions on the number of simultaneously connecting clients
• costs nothing if you download them over the Internet, and
• typically only costs between $30 and $40 if you order a CD-ROM distribution.

For instance, BSD Central sells the complete 4-CD distribution of the latest version of FreeBSD for $24.95. They'll sell you just the installation disks for FreeBSD and NetBSD for $2.95. The latest versions of the Red Hat Linux and Slackware Linux distributions also sell for as little as $39.95. For that piddling amount of money, you get a full-blown, highly reliable, server class operating system with no software limits on the number of clients that can connect to it at one time.

Is Windows really worth at least 40 times the price of a free UNIX system -- especially when there are ample benchmarks available that show free UNIX systems perform at least as well, and often better, on identical hardware? Personally, I have a hard time justifying the Windows value proposition, when reliable UNIX systems are so inexpensive.

Quality UNIX support is easy to find.

One common complaint about using a free operating system -- in fact, about using free software at all -- is, ``But we can't get support for it.'' Nonsense. It's often not supported in the same way that commercial software is supported, but there definitely is good technical support available. There are mailing lists and USENET news groups for the various free UNIX-like operating systems, and the technical advice available in those forums is frequently stellar. Better yet, among the people who answer your questions are talented programmers and engineers who get involved because they love the particular piece of free software. Contrast that situation with the type of phone support you get from a typical software vendor -- phone support that is rarely, if ever, free. Finally, I actually prefer the type of support available for free software to the commercial support provided by most vendors. In my experience, the information available on the various USENET newsgroups and mailing lists is of consistently higher quality than that provided by most commercial support organizations with which I've had contact.

UNIX generally outperforms Windows on identical hardware.

There's plenty of evidence to suggest that UNIX servers easily outperform Windows servers on the same hardware configuration. Among other things, as load increases, Wnidows seems to degrade much faster than UNIX; this is true of the non-commercial UNIXes, as well as their commercial brethren. There are at least six flavors of UNIX that run on Intel hardware: FreeBSD, Linux, NetBSD, OpenBSD, BSD/OS (a commercial BSD 4.4-Lite derivative) and Solaris. All outperform NT, especially under load. For a good overview, see the Performance section of John Kirch's article. [1]

Also, a November 13, 2001, article in PC Magazine compared file sharing benchmarks between two identical machines, one running Windows 2000 and the other running Linux and Samba. The machine running Linux and Samba handily beat the machine running Windows in every test. [8] More recently, an October, 2003, article in vnunet.com reported, "Tests by IT Week Labs show the latest version of the open-source Samba file and print server software is 2.5 times faster than Windows Server 2003 in the same role." [9]

Samba is so good, in fact, that it apparently has provoked a response from Microsoft. An April 4, 2002, article posted to Advogato claims:

In its continuous battle against the GPL, Microsoft is trying a new tactic, a combination of patent claims and licensing of technical standards. In the "Royalty-Free CIFS Technical Reference License Agreement", Microsoft defines the GNU GPL as an "IPR Impairing License" and requires companies not to distribute their implementations of the CIFS specification "in any manner that would subject such Company Implementation to the terms of an IPR Impairing License." This attack is clearly aimed at the successful GPLed CIFS implementation, Samba.

UNIX scales up fairly easily to more powerful hardware systems.

NT and Windows 2000 currently run on only on Intel platforms. (Compaq dropped support for NT on its Alpha platform.) Microsoft calls its stated scaling strategy "scale out," meaning that it's built on the idea that customers should buy and network more machines as they need increased resources. No matter how much Microsoft spins this issue, it's important to realize that Microsoft must embrace a scale-out strategy: Windows only runs on Intel hardware, and there's only so far you can go up within the PC architecture before you hit the ceiling.

By contrast, not only will UNIX systems scale out, they'll scale up. You'll find a version of UNIX running on PCs, workstations, mainframes, and even on the Cray Supercomputer. (And Scott Courtney wrote an extremely interesting article about running Linux in its own virtual machine under VM on an IBM mainframe. Seriously cool stuff.)

Sure, porting an application from one version of UNIX to another isn't always a no-brainer, but in my experience, it's simpler than porting code from UNIX to Windows, or vice-versa. This means that if a company running, say, a web-hosting operation runs out of room on its PC-based UNIX systems, it can choose to scale out by adding more systems, or scale up by migrating to a Sun Ultra Sparc, Compaq Alpha, Silicon Graphics box, or even an IBM mainframe. Many companies frequently do just that.

UNIX is available from more than one vendor.

Aside from the various free UNIX-like operating systems (all of which are excellent), numerous commercial versions of UNIX are available, including Wind River's BSD/OS, Caldera's UnixWare, Sun's Solaris, Hewlett-Packard's HP/UX, Compaq's Tru64 UNIX Silicon Graphics Irix, and IBM's AIX. You're not stuck with one vendor. By contrast, there's essentially only one version of any given Windows operating system: Microsoft's.

You can get source code.

With all free (and some commercial) versions of UNIX, you can get source to the operating system and to all the system utilities. I've found the source to be invaluable at times. At one time, Chuck Murcko and I built a firewall for a former employer; we built it on top of a source-licensed version of BSD/OS. Having kernel source at our disposal made our job much easier. Rather than rely on vague assurances from the vendor that a certain Magic Incantation would disable an insecure feature, we could simply hack it out of the kernel. Likewise, when network problems arose, having access to the source sometimes made diagnosis easier. I can't imagine what it would take to get legal access to Windows source code, even just for inspection. Illegal access is another matter: Apparently, there are a few less-than-ethical vandals who wanted Microsoft's source code so badly that they broke into Microsoft's computers to get it. -- which provides a perfect segué to the next topic.

Security.

Big server operating systems have security holes. That's a fact of life. As it currently stands, however, I trust Windows far less than I trust UNIX. Here are just three reasons Windows NT and Windows 2000 make me nervous:

1. Windows is not an open system. If I run a version of UNIX for which I have source, I can patch the operating system or system utilities myself if necessary to close a hole that's just been discovered. I cannot get source to NT, so I have fewer options at my disposal for patching security holes.
   
   
2. Microsoft's Internet Information Server (IIS). Microsoft's web server is notoriously insecure; it has afforded vandals and script kiddies an easy back door into many a Windows server. Starting in July, 2001, a series of worms known as Code Red began to infect vulnerable IIS servers all across the globe. It quickly infected enough servers to cause network service outages, chewing up bandwidth as it continued to propagate. The Nimda worm is another well-publicized IIS hack. Microsoft has released numerous security patches for IIS (though there's ample evidence that many IIS administrators aren't patching their systems). Yet, there always seems to be another IIS security hole on the horizon. In fact, IIS is so vulnerable that in late September, 2001, the Gartner Group issued a report that warned enterprises to replace their ISS software with something more secure.
   
   
3. Other Microsoft applications. In January, 2003, a worm called SQL Slammer attacked a vulnerability in Microsoft's SQL Server and generated enough traffic to slow the Internet noticeably. It even managed to render some bank automatic teller machines inoperable. Would an open source product have fared any better? It's difficult to tell. But Microsoft has a history of poor security; combine the general insecurity of their products with their sheer ubiquity, and you have a recipe for exactly this kind of problem.
   
   
4. Windows systems tend to ship with a variety of dangerous services enabled by default. So do many UNIX systems; for example, the UNIX rlogin, rsh and rcp commands are among the first things to go when battening down a system. However, Microsoft's machines often go one step further. For instance, to facilitate easy interoffice information sharing, Windows 95 often shipped with file sharing enabled by default. In 1997, the on-line New York Times published an article describing how Windows-95's default file sharing settings combined unfavorably with cable modems, exposing unwary cable modem users' personal hard drives to everyone else who has a cable modem in their neighborhood. The problem has received greater attention lately, as more and more people connect to the Internet with broadband, always-on services like ADSL.
   
   Later version of Windows have their own problems. For instance, consider the Universal Plug 'n' Play architecture. According to a Microsoft security bulletin, "the Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP." But the UPnP service "does not correctly handle certain types of invalid UPnP requests. On Windows 98, 98SE, and ME systems, receiving such a request could cause a variety of effects ranging from slow performance to system failure. On Windows XP, the effect is less serious as the flaw consists of a memory leak" which, if repeated often enough, could ultimately lead to a system failure.
   
   While UNIX systems aren't immune to hacking, there's a wealth of free, UNIX-based security tools that can help you batten down the hatches on a UNIX system. For instance, turning a FreeBSD or Linux system into a filtering router is a piece of cake, using the IP filtering technology that both operating systems provide out of the box. And these days, OpenBSD installs out of the box with a large number of preconfigured security tools already in place.

One can make the argument that Windows is slowly getting better in the security arena, especially as more and more people find and report security problems. But it still makes me nervous; I wouldn't run it in my DMZ. (See the NT Security website for an overview of some of the security holes that have plagued, or continue to plague, NT.)

Apparently, Windows makes other people nervous, too. According to a May, 2002, article in the Washington Post, Microsoft has been "aggressively lobbying the Pentagon to squelch its growing use of freely distributed computer software and switch to proprietary systems" such as Windows. However, the article goes on to say:

A May 10 report prepared for the Defense Department concluded that open source often results in more secure, less expensive applications and that, if anything, its use should be expanded.

"Banning open source would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DOD groups to protect themselves against cyberattacks," said the report, by Mitre Corp.

Even more worrisome, Microsoft seems to be tired of hearing about all the security vulnerabilities in its products. In October, 2001, Scott Culp, manager of Microsoft's security response center, wrote an essay in which he claimed that everyone would be better off if researchers would keep details about vulnerabilities to themselves, because disclosure of vulnerabilities makes it easier for vandals to exploit the holes. Bruce Schneier, a well-known cryptographer and security guy, wrote a good analysis (and, ultimately, a rebuttal) of Culp's views.

To its credit, Microsoft at least seems to have gotten the message. In January, 2002, Bill Gates sent a memo to Microsoft employees, announcing Microsoft's Trustworthy Computing initiative. Judging from the memo, Gates suddenly seems to understand why security is so important. Consider these quotes:

• "Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company."
• "In recent months, we've stepped up programs and services that help us create better software and increase security for our customers. Last fall, we launched the Strategic Technology Protection Program, making software like IIS and Windows .NET Server secure by default, and educating our customers on how to get--and stay--secure. ... The Office team is focused on training and processes that will anticipate and prevent security problems. In December, the Visual Studio .NET team conducted a comprehensive review of every aspect of their product for potential security issues. We will be conducting similarly intensive reviews in the Windows division and throughout the company in the coming months."
• "At the same time, we're in the process of training all our developers in the latest secure coding techniques. We've also published books like 'Writing Secure Code,' by Michael Howard and David LeBlanc, which gives all developers the tools they need to build secure software from the ground up."
• "If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services."

On the other hand, Microsoft has such an abysmal record when it comes to security (and in responding to security problems) that many people see Gates's sudden conversion as just one more Microsoft publicity ploy. There are still plenty of skeptics. See, for instance, Rick Forno's commentary, Bruce Schneier's CryptoGram article, or Robert X. Cringeley's cynical response.

UNIX provides the de facto standard TCP/IP reference implementation.

At least, that's true of the 4.4BSD Lite-based UNIX systems, like FreeBSD, NetBSD, OpenBSD, and BSD/OS.  The late W. Richard Stevens wrote a stellar 3-volume set of books on TCP/IP, the TCP/IP Illustrated series. Those books all use the BSD4.4 Lite UNIX implementation as a reference point. It's wonderful to be running an operating system whose source code matches the books on my reference shelf.

I don't have to deal with those silly drive letters.

UNIX permits me to ignore where each disk drive partition or network drive is mounted unless I really care about that level of detail. UNIX mounts each disk drive partition or cross-mounted network drive under its own directory, with all directories subservient to the root directory; as a consequence, my files all appear to reside in one single directory tree. By contrast, NT (and its DOS-based brethren) map each disk partition to a separate drive letter. If I choose to move files from one partition to another on UNIX, I can still maintain the same directory structure, even if I have to create a few symbolic links to do it. If I choose to do the same thing on NT, I suddenly have to update all references to the old drive. On a single-user desktop, that's a minor, but consistently irritating, distinction.

Allowing Microsoft a monopoly on the desktop is bad for all of us.

If Microsoft attains its goal of placing Windows on every computer, our freedom of choice disappears, to be replaced by Microsoft's profit-motivated vision of what is appropriate for us to run.

Because I can.

The exigencies of the marketplace make it necessary me to do development on Windows as well as on UNIX. I can live with that. But I don't have to run Windows on my servers or my workstation at home, so I don't. My hardware runs UNIX very well, and I have no problems administering UNIX systems. For years, I wanted to be able to run UNIX at home; now, I have my choice of UNIX-like operating systems. That's a dream come true. As a bonus, by running UNIX I am putting as little of my hard-earned money into Microsoft's pocket as possible.

Of course, your mileage may vary. Perhaps you've had great luck with Microsoft products. Perhaps you simply like them best. Perhaps you've never used anything else. In any case, if you honestly prefer Microsoft, then by all means, stick with the giant. But when you're cutting the check for that next Windows server upgrade, remember: You can do better than Windows, for a lot less money.

References and Links

$Id: run-unix.html 7881 2008-07-20 13:32:17Z bmc $