LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-14-2018, 08:08 PM   #31
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware
Posts: 772
Blog Entries: 6

Rep: Reputation: 185Reputation: 185

Quote:
Originally Posted by cynwulf View Post
Windows 7 : 17 exploits since 2009

https://www.cvedetails.com/product/1...Windows-7.html

Linux : 29 exploits since 2009

https://www.cvedetails.com/product/4...ux-Kernel.html

Since 2009, 984 vulnerabilities found in Windows 7, 1651 in the Linux kernel.

And of course Windows is a complete OS, rather than just a kernel... so the "winner" here is very much open to debate.

Of course there are different issues here, which should not be conflated, but in terms of "security", it does seem that Windows has some advantages (some of which were detailed earlier in the Windows vs Linux thread).

The element which adds to the confusion is malware. Of course there is a massive plethora of malware specifically for MS Windows, as it's by far the biggest (and best) target for this. But most malware "infections" are really down to the end user not following best practices - i.e. if the end user executes malicious code with root privileges the same bad things tend to happen on any OS.

There are big cultural differences, in terms of where software is sourced from and how it is installed.

In your typical Linux distribution it's almost always from that distribution's repositories. This generally means trusted sources, signed packages, etc. Which does not simply equate to "increased security" as you've immediately and very drastically reduced exposure.

With Windows if it's not a licenced MS application or similar from a reputable vendor, it's often some crap downloaded from far less reputable sources, or legitimate software being hosted at some less then reputable file upload site. There is also far more of said crap available for Windows than there is for Linux.
You have some good points here. But I have to add a point, and that is with GNU/Linux you can increase security by customizing and hardening any part of the system, something you just can't do with Windows. With Windows you get what you see and what they provide. In the GNU/Linux world you can make your system into whatever you want yourself. If you want a hyper secure system, you can build that with all the available tools at your disposal and the full freedom to change pretty much every and any piece of your system.
 
3 members found this post helpful.
Old 11-15-2018, 04:47 AM   #32
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,305
Blog Entries: 5

Rep: Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546
Quote:
Originally Posted by zeebra View Post
with GNU/Linux you can increase security by customizing and hardening any part of the system
Well since grsec/pax took their ball home and considering Torvalds' general attitude to security and "security people" in general, I'm not sure that would amount to much more than something which is nice in theory.

While I could easily patch and rebuild the kernel with something "off the shelf" from grsec, I certainly don't have the skill to write my own mitigations or come up with the kind of security features found in OpenBSD and I'd imagine that the majority of typical Linux users/sysadmins are in much the same position.

While you could have safely said 10 years ago something along the lines of "my Linux is secure and Windows less so, I can view the source code...", etc - since the arrival of Android and the whole embedded Linux revolution, the CVEs tell a very different story, as the data I've provided shows. The increased exposure of the Linux kernel has been combined with a steady increase in the discovery of vulnerabilities in the kernel.

Being able to view the source, is somewhat pointless for those who don't understand it - bear in mind that many kernel developers don't actually know what most of the code actually does and Torvalds himself admitted that there was too much for humans to audit.
 
1 members found this post helpful.
Old 11-15-2018, 05:13 AM   #33
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,008

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Quote:
Originally Posted by cynwulf View Post
Well since grsec/pax took their ball home and considering Torvalds' general attitude to security and "security people" in general, I'm not sure that would amount to much more than something which is nice in theory.

While I could easily patch and rebuild the kernel with something "off the shelf" from grsec, I certainly don't have the skill to write my own mitigations or come up with the kind of security features found in OpenBSD and I'd imagine that the majority of typical Linux users/sysadmins are in much the same position.

While you could have safely said 10 years ago something along the lines of "my Linux is secure and Windows less so, I can view the source code...", etc - since the arrival of Android and the whole embedded Linux revolution, the CVEs tell a very different story, as the data I've provided shows. The increased exposure of the Linux kernel has been combined with a steady increase in the discovery of vulnerabilities in the kernel.

Being able to view the source, is somewhat pointless for those who don't understand it - bear in mind that many kernel developers don't actually know what most of the code actually does and Torvalds himself admitted that there was too much for humans to audit.
No, not just theory. When the United States Navy needed a command and control operating system that could be deployed throughout a large ship, and control could be from any node, and the nodes form a network that did not decay ungracefully under damage conditions (nodes isolated or destroyed through enemy action), and secured against enemy intrusion attempts, the answer turned on Red Hat Linux. Windows did not even pass the first round of testing.
 
Old 11-15-2018, 05:51 AM   #34
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,305
Blog Entries: 5

Rep: Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546
^ Citation needed

Searching dod.defense.gov I found one contract relating to "Red Hat", via a 3rd party, dating back to 2016.

I found many more for Microsoft. Billions of dollars in contracts in fact over the last two years alone.

I know that for aircraft such as the F22 or F35 a closed source RTOS is used, not sure about warships, though I remember reading something about the Royal Navy running their ships on Windows XP...

/Edit: -

USN using XP as recently as 2015: https://money.cnn.com/2015/06/26/tec...act/index.html

Royal Navy's newest warship found to be running XP last year: https://www.theregister.co.uk/2017/0...ng_windows_xp/

Last edited by cynwulf; 11-15-2018 at 05:57 AM.
 
1 members found this post helpful.
Old 11-15-2018, 08:40 AM   #35
cwizardone
Senior Member
 
Registered: Feb 2007
Distribution: Slackware64-current with "True Multilib" & Xfce.
Posts: 4,857
Blog Entries: 1

Rep: Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261
The U.S. Navy has, and is still, using Xp. They, and a few others, are paying mickeysoft millions of dollars a year for support and "upgrades."

Many commercial airliners use software from Wind River. They also produce their own version of Linux.

https://en.wikipedia.org/wiki/Wind_River_Systems

Fortunately, thank God, the aircraft manufacturers are smart enough not to use mickeysoft software.
Attached Thumbnails
Click image for larger version

Name:	bluescreenofdeath.jpg
Views:	25
Size:	144.2 KB
ID:	28975  

Last edited by cwizardone; 11-15-2018 at 08:44 AM.
 
1 members found this post helpful.
Old 11-15-2018, 09:33 AM   #36
YesItsMe
Member
 
Registered: Oct 2014
Distribution: Gentoo
Posts: 557

Rep: Reputation: 210Reputation: 210Reputation: 210
Quote:
Originally Posted by cwizardone View Post
mickeysoft
Linsux.

Quote:
Originally Posted by cwizardone View Post
Many commercial airliners use software from Wind River.
Whose main product is the real-time operating system VxWorks which is an arguably better choice for airplanes than hobbyist "operating systems" with no real QA/QC process except "my 12-year-old son can read the source code which he won't understand". I would not really feel safe in such an airplane.

Fortunately, thank Cthulhu, the aircraft manufacturers are smart enough not to use Linsux software.
 
Old 11-15-2018, 09:34 AM   #37
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,305
Blog Entries: 5

Rep: Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546
The RTOS I was referring to above is Integrity: https://en.wikipedia.org/wiki/Integr...erating_system).
 
Old 11-15-2018, 09:47 AM   #38
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware
Posts: 772
Blog Entries: 6

Rep: Reputation: 185Reputation: 185
Quote:
Originally Posted by cynwulf View Post
Well since grsec/pax took their ball home and considering Torvalds' general attitude to security and "security people" in general, I'm not sure that would amount to much more than something which is nice in theory.

While I could easily patch and rebuild the kernel with something "off the shelf" from grsec, I certainly don't have the skill to write my own mitigations or come up with the kind of security features found in OpenBSD and I'd imagine that the majority of typical Linux users/sysadmins are in much the same position.

While you could have safely said 10 years ago something along the lines of "my Linux is secure and Windows less so, I can view the source code...", etc - since the arrival of Android and the whole embedded Linux revolution, the CVEs tell a very different story, as the data I've provided shows. The increased exposure of the Linux kernel has been combined with a steady increase in the discovery of vulnerabilities in the kernel.

Being able to view the source, is somewhat pointless for those who don't understand it - bear in mind that many kernel developers don't actually know what most of the code actually does and Torvalds himself admitted that there was too much for humans to audit.
I'm not a security expert, but are those issues in Android really related to the Linux Kernel? Remember, Android is not GNU, it just uses the Kernel with a totally different userland and interface. Might it be that many of those problems are with Android and not Linux, as in Android/Linux.. Not GNU/Linux..?

There are pretty easy tools that can harden a GNU/Linux system significantly. Personally I am about to embark on the selinux journey myself, learn it properly and use this for some of the main issues that I have with GNU/Linux security. I know, I said user friendly and selinux is not user friendly. But compared to auditing all the code of your system, it is quite user friendly, no? And also, selinux is not the ONLY way to harden your system.

There are other tools to do it, and there are also many included tools in the system to do it. I mean, take something as easy as umask 077. Security policies, configuring properly, firewalls etc.. Those are common things that people actually use.
 
Old 11-15-2018, 10:38 AM   #39
cwizardone
Senior Member
 
Registered: Feb 2007
Distribution: Slackware64-current with "True Multilib" & Xfce.
Posts: 4,857
Blog Entries: 1

Rep: Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261Reputation: 2261
This is something I wrote in another thread... almost two years ago.

Quote:
Reliability is the biggest problem with anything from microsoft.
I once worked with a younger colleague who, not too many years before, had been a junior officer aboard a U.S. Arleigh Burke-class Aegis-equipped guided missile destroyer.
One day, while at sea, the computer running the propulsion system flashed the "blue screen of death" and the ship became still in the water. As the propulsion system also ran the air conditioning, charged he batteries for the electrical system, etc., they were in serious trouble. As long as the batteries lasted they were on the phone with the "experts" but couldn't resolve the problem. They drifted for three days before another ship could reach them and tow them into port.
The sales people at mickeysoft must be very good at their jobs.

Last edited by cwizardone; 11-15-2018 at 10:43 AM.
 
Old 11-15-2018, 10:51 AM   #40
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,305
Blog Entries: 5

Rep: Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546
The CVEs I was referring to were Linux kernel related.

Android is separate: https://www.cvedetails.com/product/1...e-Android.html

I mentioned Android (and embedded Linux) as that's when Linux really exploded and began to be used by the average person.
Quote:
Originally Posted by cwizardone View Post
The sales people at mickeysoft must be very good at their jobs.
It beggars belief. But then I'm not sure how much better things would be running Red Hat with a certain "init system" from a certain developer..... There is a lot to be said for predictable crap, which while still crap has been picked apart over decades and it's flaws more better understood.

The idea of something important, mission critical or life preserving running on Windows 10 is also a frightening prospect...

Last edited by cynwulf; 11-15-2018 at 10:59 AM.
 
2 members found this post helpful.
Old 11-15-2018, 11:06 AM   #41
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware
Posts: 772
Blog Entries: 6

Rep: Reputation: 185Reputation: 185
Quote:
Originally Posted by cwizardone View Post
This is something I wrote in another thread... almost two years ago.
Ooh man, that story.. I think the Russian "electronic warfare" units would have a field-day with that stuff. They would find themselves lucky coming up against such a system and not an actual hardened one.
 
1 members found this post helpful.
Old 11-15-2018, 11:18 AM   #42
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,305
Blog Entries: 5

Rep: Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546Reputation: 1546
Quote:
Originally Posted by zeebra View Post
Ooh man, that story.. I think the Russian "electronic warfare" units would have a field-day with that stuff. They would find themselves lucky coming up against such a system and not an actual hardened one.
It could have been as "hardened" as you would like it to have been, in that anecdotal case it simply wasn't reliable.
 
1 members found this post helpful.
Old 12-01-2018, 04:00 AM   #43
ikram12
LQ Newbie
 
Registered: Dec 2018
Posts: 1

Rep: Reputation: 1
Inertia is a powerful force. Although there is clear consensus that Linux is the safest choice for the desktop, there has been no stampede to dump Windows and Mac machines in favor of it. ... In other words, if enough users switch to Linux on the desktop, Windows and Mac PCs are very likely to become more secure platforms

Last edited by ikram12; 12-03-2018 at 01:05 AM.
 
1 members found this post helpful.
Old 12-01-2018, 12:14 PM   #44
YesItsMe
Member
 
Registered: Oct 2014
Distribution: Gentoo
Posts: 557

Rep: Reputation: 210Reputation: 210Reputation: 210
Quote:
Originally Posted by ikram12 View Post
Although there is clear consensus that Linux is the safest choice for the desktop
If the only two operating systems you know are macOS and Something/Linux, this might be true. Otherwise, it is either a lie or a result of your lack of knowledge.
 
Old 12-01-2018, 05:02 PM   #45
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,008

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Quote:
Originally Posted by YesItsMe View Post
If the only two operating systems you know are macOS and Something/Linux, this might be true. Otherwise, it is either a lie or a result of your lack of knowledge.
Exactly. The safest OS I run is not network enabled. The most secure networked OS I use may be KolibriOS: it is certainly the fastest. Among the Operating Systems known to most Windows users, some of the Linux I run is far more secure than anything current from Microsoft. NOW! Everything changes with time, and there are far more choices today than ever before.

My best advice: Pick something that is secure enough for your environment and requirements that provides the functionality you need and get on with your life. Nothing is perfectly secure, nothing is perfect, and waiting for perfection is to miss out.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I Am Now the Product... Enough is Enough IntrepidExplorer Linux - Distributions 26 07-24-2017 08:42 PM
LXer: Enough is Enough. Higher Education...? Wake Up LXer Syndicated Linux News 0 01-17-2009 06:00 PM
New case causes concern (enough ventilation? grounded well enough?) wilsonsamm Linux - Hardware 1 06-11-2006 11:11 AM
enough is enough... >:( b0uncer Linux - Security 4 05-20-2004 01:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration