Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Well, most people don't simply use a Kernel. Your claim however is questionable. Just like my claim to say GNU userland is more secure than Windows userland.
According to this list, the Linux kernel was #2 on the list after Android for 2017. This isn't surprising since Windows had a major push to eliminate vulnerabilities and has fallen behind on innovation while the Linux kernel is adding a huge amount of new code every year.
Let me strike well past everyone's opinion (including my own) to address the real point.
If you search for instances of ransomware, many only involve Windows machines. The ones that involve Linux machines involved SAMBA mounted storage (shares). There are no instances that I have been able to find that involve only Linux servers and clients. Not one.
It may be that my search was not broad enough and I missed some cases, or flawed in other ways. It may be that the shops with impact that ran Linux, as do many who run Windows, kept the impact secret. Or, it may be that Linux has not been targeted by this kind of attack. Yet. But it is more than a bit suggestive.
Well, GNU/Linux is definitely not impenetrable, but unlike Windows it was actually build to be an OS and purpose built for that. Windows is (or at least was) a patchwork of random code, heaped together into a single OS.
Then there is ofcourse the factor that the Linux Kernel is open source and the Windows Kernel is not. What "yesitsme" surely refer to is "known vulnerabilities", which is ofcourse much easier to find when you can actually inspect the code. The Windows Kernel for sure has alot more vulnerabilities than those that are known, but far fewer people ever inspect that code.
So even if the numbers on that website is correct, the logic behind it is somewhat flawed when drawing conclusions like "yesitsme" did.
Windows is (or at least was) a patchwork of random code, heaped together into a single OS.
Made by the same people, while Linux distributions usually just smash together a huge heap of "somewhat maintained" applications and let the users figure out how they are supposed to work together. I mean, even within the GNU project, they just can't make everything work as if it was "a single OS". Still waiting for Guile Emacs ("GNU Guile is the preferred extension system for the GNU Project").
Quote:
Originally Posted by zeebra
The Windows Kernel for sure has alot more vulnerabilities than those that are known
Windows is not really an OS, it is a desktop environment built upon a framework that you have no access to. So in that regard I have do disagree with you and say that in MY experience GNU/Linux works excellent as a single customizable OS (distribution) and each of the parts in it usually function as you expect. Things make sense and are logical as well, which makes me think the whole construction is just built in a way which is more secure than Windows by their very nature.
I am by no means an expert, but these are my impression after decades of using DOS, Windows and GNU/Linux and trying other things as well (BSD, MAC OSX, OS9).
Anyways, Windows definetely does not provide an OS, it only provides a single desktop environment where you can do some of the same things that you can in an operating system. Imagine if your GNU/Linux experience was ONLY KDE and nothing else, no terminal, no tools, no functions etc, just KDE and some API's. That would be equally horrible and could not really be called an OS.. And I say that as a big fan of KDE.
Do I think GNU/Linux is perfect? No way! I often think of how a perfect OS should be built, and in most of these conceptual thoughts, major changes from how Linux and GNU currently needs would be needed, and the OS would be built in an entirely different way. That however does not prevent most my thoughts revolving around the concepts I know from Linux and GNU, simply because many of those concepts are excellent. I can't think of a single concept I'd want to bring into a "perfect OS" from Windows.
I don't even think GNU/Linux is the best OS available, I think that title has to go to one of the variants of (proper) BSD. However, BSD simply isn't as available on hardware you need as Linux is. From a user perspective, it is not really friendly to handle.. Yeah, I see the irony in that statement too.
Windows has always officially allowed to choose a different desktop environment than the one shipped with Windows. Please don't tell lies, people might believe you.
And don't misunderstand me on what I think about GNU. I think the GNU project is mostly a good thing, although its purpose (a free replacement for Unix) is anachronistic since 4.3BSD-Net/1 which was released in 1989. I occasionally use Emacs and I find the Hurd technically well planned. But "GNU/Linux" is not really a good example of a "single OS" because all of its parts are mostly incompatible with each other. Just because a software runs on Linux, it does not necessarily fit in. Have you ever used KDE applications on a GNOME system?
Sadly, macOS did that even better than Windows - except that it won't allow you to use a different desktop.
Since 2009, 984 vulnerabilities found in Windows 7, 1651 in the Linux kernel.
And of course Windows is a complete OS, rather than just a kernel... so the "winner" here is very much open to debate.
Of course there are different issues here, which should not be conflated, but in terms of "security", it does seem that Windows has some advantages (some of which were detailed earlier in the Windows vs Linux thread).
The element which adds to the confusion is malware. Of course there is a massive plethora of malware specifically for MS Windows, as it's by far the biggest (and best) target for this. But most malware "infections" are really down to the end user not following best practices - i.e. if the end user executes malicious code with root privileges the same bad things tend to happen on any OS.
There are big cultural differences, in terms of where software is sourced from and how it is installed.
In your typical Linux distribution it's almost always from that distribution's repositories. This generally means trusted sources, signed packages, etc. Which does not simply equate to "increased security" as you've immediately and very drastically reduced exposure.
With Windows if it's not a licenced MS application or similar from a reputable vendor, it's often some crap downloaded from far less reputable sources, or legitimate software being hosted at some less then reputable file upload site. There is also far more of said crap available for Windows than there is for Linux.
For what it's worth, I think that there are also big differences in the psychology of Windows and Linux users, and these also tend to make Windows less secure. Cynwulf mentions the stupidity of going online as root. To Linux users, even newbies, the difference between being root and being an unprivileged user are usually obvious. It's drilled into you when you install your first distro. In Windows, on the other hand, everyone was root originally. I understand that's no longer the case and modern Windows releases have a separate administrative user. But I have heard that many long-time Windows users work as the administrative user all the time because they have become accustomed to having that degree of authority.
Also Windows users have much less knowledge about their system than Linux users. That's partly because a lot of the internals are commercial secrets, but it has also historically been encouraged because of the greater potential a permanently privileged user has to cause harm. I remember that when I used to use Windows, you were discouraged from exploring the system outside the licenced playpen of My Documents. There were big splash screens warning you off. I don't know if that is still the case, but I do know that an even greater degree of abstraction has come in with the so-called "libraries", a kind of pseudo filesystem that overlays the actual one so that you have no idea where any file actually is.
I think it's significant that the two best-known series of computer guides are called "*** for Dummies" and "Idiot's Guide to ***". They are often excellent books, and the authors don't treat their readers as dummies or idiots, but they are obviously addressed to people who have been systematically trained to think of themselves in that way. Now how can people with that kind of training be expected to behave sensibly when it comes to security?
I disagree with the assumption that Linux users automatically know more about their system. In fact, there is a reason why some distributions - like Ubuntu - are recommended to those who are afraid of the terminal.
It depends on what you mean by secure to some extent:
Do you mean "meets Trusted OS development guidelines"? Sure. So does Windows 10.
Do you mean "well hardened out-of-the-box"? Every distribution is configured differently on install so there really is no single goal post after which a Linux OS becomes "well hardened." That's a process the user is going to have to constantly be on top of with auditing (SUID,etc) and application of good guidelines (least privilege, least functionality,etc.)
Do you mean "protected from any possible attack now or ever"? No system is. In the words of someone who I believe is a great man: The only secure system is powered off, buried in an underground bunker crawling with armed guards and laser alarms, it's rigged to destroy the entire complex in an underground nuclear explosion when someone opens the case without authorization, and even then it's still not completely secure.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.