Hi. I'm jon.404, a Unix/Linux/Database/Openstack/Kubernetes Administrator, AWS/GCP/Azure Engineer, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: *nix.
"no virus" != "secure"
Posted 10-05-2011 at 12:43 PM by rocket357
Updated 01-14-2012 at 12:21 PM by rocket357 (spellcheck fail)
Updated 01-14-2012 at 12:21 PM by rocket357 (spellcheck fail)
This seems to pop up a lot lately in Linux and Mac circles...
The presence of viruses for a particular platform does indeed point to security issues. However, supposing the reverse to be true in all manners is a logical fallacy (Denying the antecedent, for those interested in philosophy). It goes like this: "If a platform has viruses, it is insecure. Linux does not have viruses, so it is not insecure."
The problem with this logic is that viruses, while a strong indicator that a system is insecure, are not the only manner in which a system can be insecure.
Comparing the "secureness" of two platforms is difficult. Many people argue that automated attacks, such as viruses, worms, etc... indicate a "higher level" of insecurity than issues that require manual intervention. Granted, I've never known a single attacker typing at his/her keyboard to manage to gain control of multiple machines as fast as Code Red or Nimda or similar, so there is a bit of truth to the theory that viruses and worms are "worse" than simple exploits, but you can't overlook a remote non-authenticated root-compromise simply because a virus or worm spreads faster. I don't care how many machines you can compromise in 1 minute...but I do care if you can take over 1 particular machine: mine.
Ok, now that we've gotten that out of the way, let's look at some numbers. Again, comparing a system's security to another is difficult at best, but the sheer number of reports should give you an idea which system is "more secure". I'm pulling these numbers from the NVD (National Vulnerability Database) at NIST/CERT for the past three months only (http://web.nvd.nist.gov/view/vuln/search):
Search Term:
Microsoft Windows - 37
Linux - 53
Mac OS X - 26
OpenBSD - 1
# just for fun...
Flash Player - 21
Of course, you have to look at severity of vulnerabilities rather than just sheer numbers (the OpenBSD exploit, for instance, was reported as an OpenBSD/NetBSD/FreeBSD/Linux vulnerability and found that it was fixed in OpenBSD 3.8 in 2005, so it hardly counts as a "security issue" for OpenBSD). On the same token, if those 37 vulnerabilities in Windows were all remote unauthenticated Administrator compromises and the Linux vulnerabilities were all denial of service attacks, it would hold that the numbers are meaningless, since the Linux vulnerabilities don't lead to compromise. You also have to account for the fact that flash player has had 21 vulnerabilities reported in the same time, and that software is common to Windows, Linux, and Mac OS X.
Hardly looks "more secure" now, eh? Well, ok...let's look at average severity:
Microsoft Windows - 7.74
Linux - 5.28
Wait...what?
Sigh. I can't even argue for Microsoft in these debates...not even now that they're "security-aware". It would appear that Linux has had a higher number of mid-range vulnerabilities, whereas Microsoft does it right by getting fewer full compromise vulnerabilities.
I suppose I'll be getting off my soap box now...haha.
The fact still stands, though, that not having viruses doesn't necessarily mean a platform is "secure". Thank you. That is all.
The presence of viruses for a particular platform does indeed point to security issues. However, supposing the reverse to be true in all manners is a logical fallacy (Denying the antecedent, for those interested in philosophy). It goes like this: "If a platform has viruses, it is insecure. Linux does not have viruses, so it is not insecure."
The problem with this logic is that viruses, while a strong indicator that a system is insecure, are not the only manner in which a system can be insecure.
Comparing the "secureness" of two platforms is difficult. Many people argue that automated attacks, such as viruses, worms, etc... indicate a "higher level" of insecurity than issues that require manual intervention. Granted, I've never known a single attacker typing at his/her keyboard to manage to gain control of multiple machines as fast as Code Red or Nimda or similar, so there is a bit of truth to the theory that viruses and worms are "worse" than simple exploits, but you can't overlook a remote non-authenticated root-compromise simply because a virus or worm spreads faster. I don't care how many machines you can compromise in 1 minute...but I do care if you can take over 1 particular machine: mine.
Ok, now that we've gotten that out of the way, let's look at some numbers. Again, comparing a system's security to another is difficult at best, but the sheer number of reports should give you an idea which system is "more secure". I'm pulling these numbers from the NVD (National Vulnerability Database) at NIST/CERT for the past three months only (http://web.nvd.nist.gov/view/vuln/search):
Search Term:
Microsoft Windows - 37
Linux - 53
Mac OS X - 26
OpenBSD - 1
# just for fun...
Flash Player - 21
Of course, you have to look at severity of vulnerabilities rather than just sheer numbers (the OpenBSD exploit, for instance, was reported as an OpenBSD/NetBSD/FreeBSD/Linux vulnerability and found that it was fixed in OpenBSD 3.8 in 2005, so it hardly counts as a "security issue" for OpenBSD). On the same token, if those 37 vulnerabilities in Windows were all remote unauthenticated Administrator compromises and the Linux vulnerabilities were all denial of service attacks, it would hold that the numbers are meaningless, since the Linux vulnerabilities don't lead to compromise. You also have to account for the fact that flash player has had 21 vulnerabilities reported in the same time, and that software is common to Windows, Linux, and Mac OS X.
Hardly looks "more secure" now, eh? Well, ok...let's look at average severity:
Microsoft Windows - 7.74
Linux - 5.28
Wait...what?
Sigh. I can't even argue for Microsoft in these debates...not even now that they're "security-aware". It would appear that Linux has had a higher number of mid-range vulnerabilities, whereas Microsoft does it right by getting fewer full compromise vulnerabilities.
I suppose I'll be getting off my soap box now...haha.
The fact still stands, though, that not having viruses doesn't necessarily mean a platform is "secure". Thank you. That is all.
Total Comments 10
Comments
-
I've run rkhunter a few times on my laptop and it hasn't found anything (that didn't turn out to be false positives/a result of my own intervention).
…not saying I trust rkhunter to entirely reassure me that my system is "clean", but I do think it's an indicator that some random guy's laptop (i.e. mine) is probably not a likely target for someone with malicious intent.
I've also run ClamAV to look for Windows viruses, and the only things it found were its own "test files" and these litle "DOS virus simulation programs" I had grabbed off the internet for sh*ts and giggles to run in DOSBox (they're non-infective; they just simulate the outward effects of the viruses).
I could be totally clueless on this, though. I've never really been any kind of "expert" on computer security… :-\Posted 10-05-2011 at 05:39 PM by MrCode 
Updated 10-05-2011 at 05:40 PM by MrCode -
Well, I set out to make a point without doing the math *first*...heh. I'd looked up count, but not severity of vulnerability alerts, so I opened my mouth before I really should have...I should have my head examined for that lol.
And really, I'm a Linux/BSD Administrator. I sit at a Linux or {Open,Free}BSD terminal all day, so I see the warts of each of those much more than Windows 7...(though last night my wife's Win7 box got its second BSOD since we've owned it...poetic justice? I dunno). All I know is that a lack of viruses for a particular platform doesn't mean that platform is secure (though by alternate means it can be shown that in the past three months Linux has had a lesser security hassle than Windows, if you believe severity ratings).Posted 10-05-2011 at 07:54 PM by rocket357
-
The problem is that people have no idea why Linux has less virus's.
They can't see why it's not worth writing a Linux virus...
It's more profitable for the virus writer to write a virus for Windows, because lets face it 90% of windows users are doorknobs.. they have no idea how any of it works, they just youtube and play games all day... they have no idea. It also doesn't help that Windows doesn't prevent the user from running everything as the administrator account. UAC is useless... So it's not only a user problem but the way the OS is setup by default leaves much bigger holes then what a Linux distribution would.
In the Linux world (as you know) You have ports open like windows (services are being automatically run). But Windows doesn't force you to create 2 or more accounts, where gnu/Linux does, some programs refuse to run as 0:0 (root). Also the reason why you see more vulnerabilities in the code for Linux apps is because it's open, anyone can look for bugs... I don't even want to know how many bugs their really might be in a M$ OS. But if you look at it a different way, which OS gets them fixed faster? gnu/Linux hands down.Posted 10-13-2011 at 02:02 PM by magiknight
-
OpenBSD is open source, yet it has only one "vulnerability" in the same timeframe, and that bug was fixed six years before it was reported as a vulnerability.Quote:Originally Posted by magiknight
Also the reason why you see more vulnerabilities in the code for Linux apps is because it's open, anyone can look for bugs...
Point is, any codebase written to hit the mark "it works" cannot be secure, regardless if it's open source or closed.Posted 10-15-2011 at 01:33 AM by rocket357
-
I think the point magiknight is trying to make is that bugs are typically more visible in open-source projects, not necessarily more plentiful. It's that whole business of "given enough (qualifiedQuote:OpenBSD is open source, yet it has only one "vulnerability" in the same timeframe, and that bug was fixed six years before it was reported as a vulnerability.
) eyeballs, all bugs are shallow".
I might be misinterpreting your statement, though…
Posted 10-15-2011 at 07:44 AM by MrCode
-
I agree with you, but the statement I was making was that any project that is written just well enough to make it *work* is only doing half of what it needs to do. Bugs will always exist, but given Linus' attitude towards security bugs (and Microsoft's/Apple's complete disregard for the same), there will always be numerous security issues. The issue isn't closed-source vs. open-source, it's the attitude of the programmers writing the code. Being open source helps, since you can apply the "all bugs are shallow" rule (unless it's very complex code, such as crypto code...I've blogged about that before here, too), but being open source is "no silver bullet".Quote:Originally Posted by MrCode
bugs are typically more visible in open-source projects, not necessarily more plentiful.
Posted 10-15-2011 at 12:55 PM by rocket357
-
How come linux has so much more vulnerabilities than OpenBSD? I don't really know much of any of this, I thought that they would be nearly "identical" regarding vulnerability issues. Debian is in the way of "being"/maybe already is both Linux and FreeBSD (yet another entirely different animal in this regard? I'm totally lost now), it seems that you can even run some linux binaries on it. I thought that vulnerabilities had much more to do with all the is besides the kernel itself than the kernel, which I'm thinking is the main difference between linux and openbsd. For example, windows could be much less vulnerable without a whole new "kernel" but instead imposing safer policies, such as having the root user and normal users more separated and the latter operating under conditions where the damage that they can do is severely restricted.
Am I far off from reality on my guessings, or could it be mainly due to one of the same reasons some people point to why linux is less vulnerable, that the fact that it's not as popular as windows just makes it less a interesting target? I doubt it on the windows/linux issue (well, to some degree it's true, but only to the extent that hackers/crackers want to mess with personal computers, and it's not like messing with servers wouldn't appeal to them), but I think it may make some sense on linux/OpenBSD differences. As far as I know, linux is far more common on servers, so perhaps its holes are more commonly found/exploited?Posted 10-16-2011 at 08:13 PM by the dsc
-
It gets back to "coding to make it work" being only half the job, the_dsc. The OpenBSD team actively audits the codebase (i.e. sweeps through the code where no new functionality is added, but code quality and correctness is ascertained and fixed if required...i.e. NO BUG IS TOO TRIVIAL! FIX THEM ALL REGARDLESS OF SEVERITY!) (this works because most security vulnerabilities start life as simple logical bugs...so rather than wait for the "simple bug" to have an exploit attached to it, the OpenBSD team fixes the bug during audits). Linux, like Windows, Mac, Solaris, etc... do not do this as heavily or thoroughly as OpenBSD. OpenBSD goes beyond "coding to make it work" with these audits.
As for the "less popular = fewer vulnerabilities", core internet machines have run some form of Unix for much longer than Windows has been around, so why did this suddenly come to light with Windows? (Ok, sure, there was the Morris Worm and other incidents that were Unix-specific, but nothing on the scale of the variety of vulnerabilities that Windows has had).
Linux is also at a disadvantage compared to the BSD's on "core system" vulnerabilities, since Linux has more than one team responsible for various sections of each distribution (i.e. Linus et al in charge of the kernel, Stallman et al in charge of userland, etc...), while the BSD's have one core team per project.Posted 10-16-2011 at 09:17 PM by rocket357
Updated 10-16-2011 at 09:18 PM by rocket357 -
Also not to mention that OpenBSD's code base is no where near Linux's, of course there are going to be more bugs. Linux is a lot more bleeding edge then BSD ever will be, but yes the BSD team uses the tried tested and true method of coding.
Posted 10-16-2011 at 11:58 PM by magiknight
-
Linus Torvalds said himself that if BSD had been ported to i386 when he started looking for a Unix-like alternative, he would've never written Linux. Unfortunately there was a law suit going on between AT&T and University of California - Berkeley that made the future of BSD a bit uncertain at that time...
That aside, "bleeding edge" really depends on what you're using it for. OpenBSD has much more advanced security features than stock Linux, so in that sense OpenBSD is more bleeding edge. FreeBSD has much more advanced ACL capabilities and OpenBSD, so in that sense FreeBSD is more bleeding edge (and FreeBSD has much more advanced filesystems than OpenBSD, so it's like Linux in that regard). It really just depends on what you need.Posted 10-17-2011 at 07:04 AM by rocket357
