Well, hardening in GNU/Linux has been happening in many forms for many years, some which are default by now. GCC and Kernel for example, there is alot there. Yet more to implement by choice. But I guess what OP referring to hardening he also means things like security software, like using SELinux, iptables/netfilter and such things.

Another thing is hardware. I mean, even the Kernel blatantly mentions Intel related security issues that were raised the last 5 years and created some controversy. Software can't easily fix those issues. Then there is the controversy regarding the Intel ME and such things as well, and the neverending firmware debate.

But from a "national" standpoint, I think most institutions don't have the resources to harden their systems alike to what say the NSA has.

Canonical and Red Hat are the two major companies promoting GNU/Linux. But neither do anything to promote the desktop, the part which is most visible to the most people. I find that a puzzle especially because they ought to be able to capitalize on egregious failures in Vista10 and earlier versions of Windows, which seem to arise every few weeks.

Way before the malware problems included ransomware, it was estimated that even expensive migrations upgrading to GNU/Linux would pay for themselves within two years. I can only see that move has probably gotten far more advantageous. If Red Hat and Canonical would fire the "former" microsofters that have gotten onto their payrolls, they could probably make some progress in the market for desktops.

The primary attack vector is, and always will be, human. It's easier to get a human to click a link, open a file, or install an extension, than it is to develop penetration software. That's how most malware gets on computers, not directly through the internet connection. Hardened Linux cannot deal with user stupidity efficiently nor completely.

There the fault lies with the web browser. They have been garbage for many years. It is not the fault of the user that they are using the software as advertised. Otherwise, the GNU/Linux ecosystem is far more robust and an upgrade from Windows to GNU/Linux would pay for itself. A big barrier there is that neither Canonical nor Red Hat have made the least effort to market desktop options in recent years.

Another barrier to the desktop which has been diminishing is the monopoly which M$ has had on the OEMs. There M$ seems to be losing its grip, for whatever reason. It is now increasingly possible to find GNU/Linux pre-installed if one knows where to look.

I'd be willing to bet, particularly at a state government level, let alone at a local government level, the government where I live has contracts with M$ that pretty much force them to use whatever crap M$ throws at them. It's also very likely that they simply don't have people with Linux/Unix expertise to administer it to a large extent, let alone users that have much if any Linux expertise.

I wouldn't be relying on them one bit to protect me or my system, they are idiots when it comes to IT.

In the end, they are so far up M$'s ass, I'd be surprised if they can see daylight.

1 members found this post helpful.

Well, it can actually, depending on the system. Some systems are designed with more safety in mind and some harder system defaults. And more security can be implemented to make even user stupidity unviable in alot of cases.

User stupidity is always viable. It's basically impossible to idiot-proof anything, because the idiots are so inventive. I would bet the rent money that the way Russia (or whoever) got into the US government systems was by some human allowing it, knowingly or not. It's certainly possible to make it more difficult get into systems, but I don't think it's possible to totally prevent unauthorized entry, if authorized means by the system administration. Users can always be exploited, one way or another, and they can find ways to circumvent security, given the time and incentive.

Relevant:
https://www.reddit.com/r/sysadmin/co...tomach_ulcers/
The human factor.

edit: Linux vs. Windows doesn't even matter here.

One thing that occurred to me this morning builds on my previous post to this thread.

Given that MS aggressively marketed itself to the enterprise in the 1990s and early 2000s, and the enterprise responded by buying MS, there's a side effect.

Visualize a network in a large business or government agency; I'm thinking not of dozens or hundreds of workstations, but rather of thousands of them. Even if the organization's IT specialists and leadership recognizes that Linux (or BSD) would be a more secure alternative, the logistics of migrating a large network to a whole new network while still providing employee and customer/client services could daunt the most savvy IT department.

Plus there are the employees who would have to be trained to use different software. You and I know that a word processor is a word processor is a word processor: they all do pretty much the same thing, they just hide them on different places in the menu. But I've seen person freak out when MS changes the interface on MS Word, just to pick an example; those folks would short-circuit completely if asked to use LO.

Heck, just upgrading to a new version of the current OS can be a massive task. I have a friend who sysadmins a thin-client Linux network of approximately 250 workstations. The amount of planning he has to put in just to upgrade to a new server running a newer version of the same Linux OS would give me heartburn.

The point I'm making is that there's a lot more to migrating a network in technical, human, and customer service terms, than simply loading up a new OS. Even a management that wanted to move away from MS could find themselves dismayed by the complexity and cost of the task.

Just two more cents.

Ugh! That would surely make applying patches to a data center full of systems a real headache nowadays. Not a totally insane idea, though, and it's been done before. The RK- and RM-type removable disk pack drives I used with PDP-11s and Vaxen had read-only buttons on the front panels (which, unfortunately, could sometimes be pressed by your butt if you weren't careful when moving around in the data center.

Cheers...

I wouldn't go so far as saying that MS forced it on them. The staff and, particularly, the managers, just don't know about alternatives and happily accepted whatever shiny "solutions" MS provided. The lunch that MS paid for was excellent, too.

I recently saw an ad for a state IT position to work on a modernization project. Sounded interesting but the first gotta-have requirement was extensive experience with IBM mainframes and AS/400s. (In my experience, those folks aren't going to be promoting much Linux as part of their modernization.)

[sigh]

"Windows N+1 is the most secure Windows ever!" (How many times have we heard that? So often that it's meaningless.) When I did some contracting work with IBM some years ago (pre-Red Hat purchase), I had to make my way to the local IBM office to turn in my Windows laptop for one running Red Hat. So some companies get the security advantage of not using Windows.

Wasn't that the length of time that the city of Munich was using as their estimate for payback?

I know of one in particular who I'd like to see getting their pink slip.

That's interesting. I remember a corporate setting where there was alot of uproar and troubles just switching from Windows XP to Windows 7. Windows XP was already very old and outdated at the time and it was obviously "needed".

That was ofcourse until Microsoft promised to set up a large workplace in the city and offer them many jobs.

Oh yes, but once those papers are signed, it's not as if the state can turn around and start using non-M$ software in place of M$ software they've just paid god only knows how many millions of $$$ for. But fully agree with you that they would be completely ignorant of any alternatives - which was pretty much my second point. That's where the lack of knowledge comes in, ignorance is bliss. So agreed.