Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Since 2009, 984 vulnerabilities found in Windows 7, 1651 in the Linux kernel.
And of course Windows is a complete OS, rather than just a kernel... so the "winner" here is very much open to debate.
Of course there are different issues here, which should not be conflated, but in terms of "security", it does seem that Windows has some advantages (some of which were detailed earlier in the Windows vs Linux thread).
The element which adds to the confusion is malware. Of course there is a massive plethora of malware specifically for MS Windows, as it's by far the biggest (and best) target for this. But most malware "infections" are really down to the end user not following best practices - i.e. if the end user executes malicious code with root privileges the same bad things tend to happen on any OS.
There are big cultural differences, in terms of where software is sourced from and how it is installed.
In your typical Linux distribution it's almost always from that distribution's repositories. This generally means trusted sources, signed packages, etc. Which does not simply equate to "increased security" as you've immediately and very drastically reduced exposure.
With Windows if it's not a licenced MS application or similar from a reputable vendor, it's often some crap downloaded from far less reputable sources, or legitimate software being hosted at some less then reputable file upload site. There is also far more of said crap available for Windows than there is for Linux.
You have some good points here. But I have to add a point, and that is with GNU/Linux you can increase security by customizing and hardening any part of the system, something you just can't do with Windows. With Windows you get what you see and what they provide. In the GNU/Linux world you can make your system into whatever you want yourself. If you want a hyper secure system, you can build that with all the available tools at your disposal and the full freedom to change pretty much every and any piece of your system.
with GNU/Linux you can increase security by customizing and hardening any part of the system
Well since grsec/pax took their ball home and considering Torvalds' general attitude to security and "security people" in general, I'm not sure that would amount to much more than something which is nice in theory.
While I could easily patch and rebuild the kernel with something "off the shelf" from grsec, I certainly don't have the skill to write my own mitigations or come up with the kind of security features found in OpenBSD and I'd imagine that the majority of typical Linux users/sysadmins are in much the same position.
While you could have safely said 10 years ago something along the lines of "my Linux is secure and Windows less so, I can view the source code...", etc - since the arrival of Android and the whole embedded Linux revolution, the CVEs tell a very different story, as the data I've provided shows. The increased exposure of the Linux kernel has been combined with a steady increase in the discovery of vulnerabilities in the kernel.
Being able to view the source, is somewhat pointless for those who don't understand it - bear in mind that many kernel developers don't actually know what most of the code actually does and Torvalds himself admitted that there was too much for humans to audit.
Well since grsec/pax took their ball home and considering Torvalds' general attitude to security and "security people" in general, I'm not sure that would amount to much more than something which is nice in theory.
While I could easily patch and rebuild the kernel with something "off the shelf" from grsec, I certainly don't have the skill to write my own mitigations or come up with the kind of security features found in OpenBSD and I'd imagine that the majority of typical Linux users/sysadmins are in much the same position.
While you could have safely said 10 years ago something along the lines of "my Linux is secure and Windows less so, I can view the source code...", etc - since the arrival of Android and the whole embedded Linux revolution, the CVEs tell a very different story, as the data I've provided shows. The increased exposure of the Linux kernel has been combined with a steady increase in the discovery of vulnerabilities in the kernel.
Being able to view the source, is somewhat pointless for those who don't understand it - bear in mind that many kernel developers don't actually know what most of the code actually does and Torvalds himself admitted that there was too much for humans to audit.
No, not just theory. When the United States Navy needed a command and control operating system that could be deployed throughout a large ship, and control could be from any node, and the nodes form a network that did not decay ungracefully under damage conditions (nodes isolated or destroyed through enemy action), and secured against enemy intrusion attempts, the answer turned on Red Hat Linux. Windows did not even pass the first round of testing.
Searching dod.defense.gov I found one contract relating to "Red Hat", via a 3rd party, dating back to 2016.
I found many more for Microsoft. Billions of dollars in contracts in fact over the last two years alone.
I know that for aircraft such as the F22 or F35 a closed source RTOS is used, not sure about warships, though I remember reading something about the Royal Navy running their ships on Windows XP...
Many commercial airliners use software from Wind River.
Whose main product is the real-time operating system VxWorks which is an arguably better choice for airplanes than hobbyist "operating systems" with no real QA/QC process except "my 12-year-old son can read the source code which he won't understand". I would not really feel safe in such an airplane.
Fortunately, thank Cthulhu, the aircraft manufacturers are smart enough not to use Linsux software.
Well since grsec/pax took their ball home and considering Torvalds' general attitude to security and "security people" in general, I'm not sure that would amount to much more than something which is nice in theory.
While I could easily patch and rebuild the kernel with something "off the shelf" from grsec, I certainly don't have the skill to write my own mitigations or come up with the kind of security features found in OpenBSD and I'd imagine that the majority of typical Linux users/sysadmins are in much the same position.
While you could have safely said 10 years ago something along the lines of "my Linux is secure and Windows less so, I can view the source code...", etc - since the arrival of Android and the whole embedded Linux revolution, the CVEs tell a very different story, as the data I've provided shows. The increased exposure of the Linux kernel has been combined with a steady increase in the discovery of vulnerabilities in the kernel.
Being able to view the source, is somewhat pointless for those who don't understand it - bear in mind that many kernel developers don't actually know what most of the code actually does and Torvalds himself admitted that there was too much for humans to audit.
I'm not a security expert, but are those issues in Android really related to the Linux Kernel? Remember, Android is not GNU, it just uses the Kernel with a totally different userland and interface. Might it be that many of those problems are with Android and not Linux, as in Android/Linux.. Not GNU/Linux..?
There are pretty easy tools that can harden a GNU/Linux system significantly. Personally I am about to embark on the selinux journey myself, learn it properly and use this for some of the main issues that I have with GNU/Linux security. I know, I said user friendly and selinux is not user friendly. But compared to auditing all the code of your system, it is quite user friendly, no? And also, selinux is not the ONLY way to harden your system.
There are other tools to do it, and there are also many included tools in the system to do it. I mean, take something as easy as umask 077. Security policies, configuring properly, firewalls etc.. Those are common things that people actually use.
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,111
Rep:
This is something I wrote in another thread... almost two years ago.
Quote:
Reliability is the biggest problem with anything from microsoft.
I once worked with a younger colleague who, not too many years before, had been a junior officer aboard a U.S. Arleigh Burke-class Aegis-equipped guided missile destroyer.
One day, while at sea, the computer running the propulsion system flashed the "blue screen of death" and the ship became still in the water. As the propulsion system also ran the air conditioning, charged he batteries for the electrical system, etc., they were in serious trouble. As long as the batteries lasted they were on the phone with the "experts" but couldn't resolve the problem. They drifted for three days before another ship could reach them and tow them into port.
The sales people at mickeysoft must be very good at their jobs.
Last edited by cwizardone; 11-15-2018 at 10:43 AM.
I mentioned Android (and embedded Linux) as that's when Linux really exploded and began to be used by the average person.
Quote:
Originally Posted by cwizardone
The sales people at mickeysoft must be very good at their jobs.
It beggars belief. But then I'm not sure how much better things would be running Red Hat with a certain "init system" from a certain developer..... There is a lot to be said for predictable crap, which while still crap has been picked apart over decades and it's flaws more better understood.
The idea of something important, mission critical or life preserving running on Windows 10 is also a frightening prospect...
This is something I wrote in another thread... almost two years ago.
Ooh man, that story.. I think the Russian "electronic warfare" units would have a field-day with that stuff. They would find themselves lucky coming up against such a system and not an actual hardened one.
Ooh man, that story.. I think the Russian "electronic warfare" units would have a field-day with that stuff. They would find themselves lucky coming up against such a system and not an actual hardened one.
It could have been as "hardened" as you would like it to have been, in that anecdotal case it simply wasn't reliable.
Inertia is a powerful force. Although there is clear consensus that Linux is the safest choice for the desktop, there has been no stampede to dump Windows and Mac machines in favor of it. ... In other words, if enough users switch to Linux on the desktop, Windows and Mac PCs are very likely to become more secure platforms
Although there is clear consensus that Linux is the safest choice for the desktop
If the only two operating systems you know are macOS and Something/Linux, this might be true. Otherwise, it is either a lie or a result of your lack of knowledge.
If the only two operating systems you know are macOS and Something/Linux, this might be true. Otherwise, it is either a lie or a result of your lack of knowledge.
Exactly. The safest OS I run is not network enabled. The most secure networked OS I use may be KolibriOS: it is certainly the fastest. Among the Operating Systems known to most Windows users, some of the Linux I run is far more secure than anything current from Microsoft. NOW! Everything changes with time, and there are far more choices today than ever before.
My best advice: Pick something that is secure enough for your environment and requirements that provides the functionality you need and get on with your life. Nothing is perfectly secure, nothing is perfect, and waiting for perfection is to miss out.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.