This is an interesting read:

http://www.computerworld.com/article...-platform.html

For mobile, Windows has a very small percentage and Apple is very secure. That leaves Android as the primary target.

I get that Android uses a modified linux kernel... Beyond that though... I'm unsure why Android would be considered. Does it use permissions? isolation of programs?
From what I understand the kindle has a flat hierarchy (user files + system files have equal permissions).

Of course, I referenced embedded devices and I have no clue what their setup is.

Let me start with when I started computing or more correctly, home computing, the computers I had access to were:
Timex Sinclair 1000
Apple II's (of various types)
TI99
IBM PC XT
Atari 800xl
Amiga
A multitude of various Radio Shack/Tandy models
Commodore 64
One ATT machine with Unix on it that dos commands were aliased

When Windows started becoming standard and preinstalled, then it was easier to write the stuff as you had a prevelant platform to develop for. Now add to it that security was an afterthough and everything ran as administrator, then the number of people who only knew how to point and click. (and if they had problems, ran to someone else)
Then it becomes easier to see. Now Linux does have attacks against it, but viruses are few, because in part, most attacks are more technical and directed towards obtaining something on the machine (either root access, and/or data, like CC/identity information). There are still those users that only know how to point and click, but on a nix based machine, they don't, by default have administrator access.

If Windows came with a (decent) anti-virus program, they would be accused of monopolizing the anti-virus market. Similar to how they were accused of that with Internet Explorer for the browser market.

Android has the Vm running on top of the kernel which has its owns et of vulnerabilities so while the Linux kernel and system was made with security in mind the java vm on top might not be.
One of my goals is to pick the drivers out of my android tablet and then put a standard linux distro on and put the drivers back in so I can just run native linux.

Heard that 5.0 eased up on SELinux to improve performance...

**...NO YOU IDIOTS!!1!**

Thankfully CM 12 will boost SELinux policies!


For a full-fledged distro on your tablet, Canonical is pumping out ROM images with Ubuntu. Tried on my GT2 and didn't even install, maybe it will work for you. Plasma Active is always another option.

I know the Nexus 6 seems to stutter in performance. I heard it's using encryption by default though.

i was making a crude analogy to illustrate the double standard of microsoft windows not coming with antivirus and being as virus prone as it is.

speaking of mandated by law, why not mandate microsoft to include a worthy antivirus program or better yet design their product to not be so full of security holes. I don't get a recall notice every tuesday of the month for my car. stop and think about it all for a minute, about everything you come to accept with microsoft windows and networking.
with the car analogy, using microsoft windows you don't get physically injured but you sure can get financially injured. It is illegal for me to physically steal [money] from you, and it is illegal for me to hack and steal money from you in cyberspace... such as exploiting security holes in microsoft windows when you make online purchases i then get your credit card info or steal your identity. Does Microsoft not have an obligation if they provide a product that does everything that it does, that it be secure? You use their product for an online purchase, or browsing of a website, or file download. If doing that injures you in some way, shouldn't Microsoft be held somewhat responsible since it's their product allowing it to happen?

And like i said, I don't get how other companies providing antivirus software can know better than microsoft - still have not got an answer to this one!

One of the troubles with this kind of discussion is that it elides different types of thing, and it very easily comes up with nonsense as a result. GIGO.

Windows has a number of disadvantages, from a security point of view, but the argument about servers and routers is quite different, but also interesting.

First of all note that some quite high profile organisations use windows server for their web presence, so it is possible to make Windows server adequately secure (...wouldn't like to do it myself, but that's an entirely different debate...).

One of the key things here is that servers don't get 'random' bits of software installed, with limited knowledge about their provenance. (Well, at least, not by anyone with a brain cell to deploy, anyway.) Because you don't install idiot bits of software downloaded from entirely unreliable sources scattered around t' interwebs, you don't get all of the security problems that come with those bits of software. Of course, you can argue whether, had this happened to Linux, it would be a Linux problem...you've installed, for example, something by Adobe and imported a vulnerability that wasn't in the original Linux.

Is this a Linux problem or not?

Well, this makes a massive difference to how you look at things, so you have to have an answer. It is still a Linux system that is vulnerable, but the vuln wasn't in your original Linux system.

In any case, because Linux has a system that makes sense for installing apps (broadly, you get them from your Linux distro supplier, and broadly it is as simple as clicking a button in an app that your distro has provided for the purpose) and has had that for over a decade, if your distro's security team does a good job, and you click the 'update' button on a frequent basis, you are less exposed to this risk than you would be in another situation.

There is a side order of 'well we wrote the app, but we can't be bothered to update it in a timely matter, because it is all proprietary, and no one can call us out on it, because they can't see the source code, and see how simple it would be to fix, if they did...' but that is probably a smaller proportion of the problem.

In any case, have a look at routers; there are plenty of reports of vulns, to the extent that probably the majority of routers out there are proudly sporting some (relatively) easily exploitable vulnerability. So, given that mostly, people do not install apps on their router, how does that come about?

The trouble here is that

• router manufacturers tend to regard their software as 'fit and fire'; they blow the software in production, and lose interest rapidly, in particular, once the router is out of series production
• people often entirely ignore the requirement to keep router software updated

The end result is that routers really are usually vulnerable, but, in a way, it isn't usually as important as if they had done that to your computer. If someone 'pwns' a router, they've got a router. They haven't got your credit card details, they haven't erased the root partition of your computer (although there are some unpleasant things that they could do, broadly they aren't the things that make them easy money) and they aren't in a position to hold your data for ransom.

Weeeelllll....

Kernel flaws are kernel flaws. The kernel has existed for quite a long time, but there is a reasonably rapid turn over of code. Once it is known that 'doing it this way' is flawed, there tends to be quite a quick change to another way of doing it (as there has to be, of course).

But most of the flaws that get exploited are not kernel flaws. So, something like the SSH/Heartbleed flaw -big enough for you?- was a flaw in the way SSH worked, in that it allowed exploitation. Affected a lot of distro installs (and there will be plenty of people out there who have said 'Ain't going to fix my system 'till there is something broke; it all works, so I don't need no stinkin' updates' and are still running flawed code.), but although pretty fundamental, it wasn't a kernel problem, therefore not strictly a Linux problem, even though it did catch most distros (and the patch(es) were made available pretty quickly).

The recent bash exploitability (shellshock) was in the same category; fundamental, but not a kernel issue.

So, those were both serious, they caused much scurrying around to get systems patched 'in time' (whatever that means), but really not many people who took this seriously got reamed. There will still be people who haven't bothered with the patching, of course...

As I say, it isn't usually the underneath that is exploited, so what is underneath isn't as relevant as it might at first seem.

Well, you probably could, but I don't know how it helps. What do you do with the count that helps anything?

In any case, it is an attack on SSH. It usually depends on badly configured/mis-configured SSH (or flawed key distribution, etc) and isn't a strictly Linux issue. You could turn SSH off, in many desktop cases, of course... You'd still have a Linux system, but one that is immune to SSH exploits (this is minimising attack surface, if you want to be professional about it).

Android, just to make the point, is a whole 'nother story. Android apps are pretty suspect, because no one is really checking them out adequately. Google (this is probably changing) isn't doing a good enough job to ensure that apps only use the access permissions that they say they are going to, or ensure that you can see, up front, the permissions that an app will require. A consequence is that people install apps which do things that are wildly out of proportion to their purported role (and then forget where they have given permissions away).

Now this might not be the world's most pressing problem when a phone is only a phone, but these days, it isn't. You may have paid for things, so maybe your credit card details are there, there is probably a version of your contact list there, and you (or they) wouldn't like everyone to have access to that kind of information (although, none of this is an attack on Android itself....but, whether it is or isn't, it still hurts exactly the same amount).

And, of course, currently only ~5% of Android phones are on lollipop, and who knows what unfathomable evil is possible with ancient versions of Android (here Apple does better - there is an upgrade path, and people often use it; ordinary Joes (and/or Janes) don't on Android, and so, one way or another, the Android world is full of exploitable phones).

Right now, the percentage of phones out there on Android 2.x is probably similar to the percentage on 5.x, and 2.x would be geriatric even if we weren't on 'Phone OS time' (which is faster even than 'Internet Time').

And, the situation is even worse for people who use alternate app repos - most of the programs there have something suspect about them, even if it is only a hilariously wide interpretation of what a reasonable permission set would be for a particular role (although, you would often be told about this when installing - but, anyone who has gone to an alternate source of programs may well not be put off by that detail).

@replica9000
There is a complex situation with 'encryption by default'. As I understand it, it depends how you get your Lollipop. If you get your Lollipop installed with the device,as originally shipped, you get EBD, if you update an earlier device that originally didn't have encryption, you don't get EBD, but you could still choose encryption.

(I don't think this applies to all Nexus's, but the older ones won't have had any possibility of EBD, so, in that case, you can't be upgrading a device that had originally been EBD - although, what happens if you had a non-EBD device for which you had manually chosen encryption and then upgrade, taking the default, I don't know. You get what you get, is probably the closest I can come)

If, of course, you choose a device other than a Google device, the manufacturer gets to choose what you get by default (which, sort of, sounds as if I am making Google the manufacturer of the Google devices, which, of course, they're not).

Even by disconnecting the cable from the outside world doesn't prevent issues.

No OS and more importantly no application has proven to be secure.

I don't think this analogy holds.

Windows quite overtly used Internet Explorer to destroy Netscape and monopolize internet browsing, to the extent that they created web formats that were compatible only with IE. It was a power grab pure and simple.

Of course, were Windows to provide decent AV protection, the vendors who have made money by patching Windows's holes would scream that they were under unfair attack, but I do not think that attempts to patch security vulnerabilities is the same thing as attempting to monopolize a market. Now, if MS were caught out creating viruses that only its AV product could detect, that might be a different story.

As an aside, there is only one foolproof way to secure a computer: Unplug it, fill the case with concrete and let it harden, then dump it in a lake.

http://securitywatch.pcmag.com/andro...e-million-mark

We've heard this.

And this.

http://www.engadget.com/2015/03/10/a...ecurity-patch/