No OS is Secure

Recently I got into a debate over security issues in Linux and on Windows. In summary, my conclusion is that if Linux were to mainstream viruses and exploits may see a rapid increase however distros such as Fedora would deliver a near instantaneous fix like they did for bash. Windows, because of its roots in DOS, does not have this benefit as a virus made to affect Windows 8, will very likely have the exact outcome as on Windows 98. The Linux kernel is constantly evolving thus isn't affected by viruses and exploits patched previously. Not only is this fact but corporations such as Red Hat and Canonical are deeply invested in provided the end user the most refined product as to make a profit. What people commonly take to granted is that Linux is open source, and as a result users are willing to collaborate to eliminate viruses and exploits. Windows is closed source, and as a consequence suffers from numerous issues that could easily be fixed had it been open in the first place. Linux truly is the future of the desktop, and Microsoft will not prevent its uprising. Steak is only a mere star in contrast the universe that Linux (and its successor) will consume.

Edit: Open operating systems are more so secure than closed operating systems, and fixes will come faster as the Linux community is always growing. I really appreciate the comments as... well, my post are not perfect, and for that matter anyone using "fact" and opinion isn't correct as there are multiple perspectives.

+1

Well thank you for pointing out that no OS is secure, sorta tired of people saying how linux is this impenetrable force. But yes you are right, if a problem does arise it can be taken care of in no time. I am excited to see linux go to the ""mainstream" but at the same time, more problems will arise. Time will tell, but, I'm excited to see the future of linux :)

Well deeply the Problem with Linux and this has been said by too many people is the Lack of Support. You could Say All you want about Open Source but as Terrible as Some companies are You need at least some modicum of Support from at least some of them. We all know NVIDIA doesn't give a Rats ass about Linux and they hold Most of The GPU Market. Also these Companies aren't going to Support Linux if they can't Profit over it.

Also I Disagree about Linux taking over the Desktop space. Only for two Reasons,

  • Lets say Theoretically We lived in a Backwards world were Linux were Dominant and Windows didn't succeed and had no support. A Company Like Samsung could make their own Distro and Only support that Distro for their Products, Google could have their Own Distro and they could fuck everyone over and say Oh our Products get more support or Work better on Our Distro. so on with other Companies. That is Not ideal. Not to say Open Source is bad, But If Linux were to Succeed I would expect a Future where All these Companies screwed the Consumer for their own Benefit.
  • The Average Consumer does not Know about Linux (Ask a Regular guy on the street "Do you know what Linux is?"), all they are going to Care about is Can it do what I need it do, does it have Programs I Use (NOT alternatives) and is it simple to use?

Also I do believe What Big Al Tech said in that Linux thread about this, if Linux were Dominant the issues we probably are seeing with Windows would probably be Just as or Worse on Linux.

paragraphs are a thing...

I think most reasonable people would accept that Linux is architecturally more secure, but consider that all it takes for malware to get root in a system is a dialog popping up asking for the user's password. The weak point in security is the user. If someone downloads a file that claims to be Photoshop for Linux and it asks for their password for the installation, it's game over at that point. The software doesn't have to exploit any bugs in the system, so there is nothing that can be patched. You can't fix stupid. When it gets to the point that taking over desktop Linux systems is seen as a profitable avenue for criminals, we'll be flooded once again with signature based virus scanners and antivirus software and all that crap that tries to make up for user error.

To be fair, Linux has a much better ecosystem for responding to exploits that would bypass the need for user stupidity. With Windows, someone might notice malicious activity and even report it to Microsoft, but then it enters a black hole and it's up to MS how they announce it or when they fix the problem or if they even care enough to pay developers to investigate the incident. With open source projects, bug reports are public, anyone can look at the issue and try to contribute a fix, and there is generally a large incentive for companies to upstream their fixes so that they don't have to be responsible for maintaining the set of patches.

Of course to be fair to Windows as well, once a box is owned, it's owned all the way regardless of what OS it runs. Virus scans and firewalls? Hardware don't give a fuck, and when you own a box you own the hardware. So the reality is, as others have pointed out, Linux isn't impervious to infections. Still, right now it is a hell of a lot more secure than Windows.

There are different notions of secure, and not only OS's are not secure, but software is not secure, and hardware is not secure:

- The "RNG bug" in Intel cryptomodules on the CPU's;

- the "Secure Boot" feature in UEFI's that come preloaded from the factory with microsoft keys and a set of keys labeled "PRC-something" (at least they don't hide what they're doing);

- any and all software code contains bugs. That is just a given. Because of the fact that the quality control of open source software is much higher in all aspects than closed source software quality control, there are less bugs with open source software, and what's more important, the bugs are visible to anyone, patchable by anyone, whereas bugs in closed source software are (often voluntarily or even purposely) obfuscated.

 

This is not a big deal though. Cars are also inherently dangerous and unsafe. They used to be more unsafe than they are now, but they're still pretty dangerous things. That is not a reason not to use cars though. It's the same with software and hardware, it's the same with a kitchen knife. In the end, it all comes down to user responsibility.

 

That doesn't mean that there is an evolution, because people learn from mistakes of the past. That is why the software that makes the world turn, has returned to the open source model. That is why cars run on open source software loaded microprocessor based management systems. That computer technology and software, actually makes cars a hell of a lot safer, not only to the user and his family, but also to other people and the environment. One can always debate everything to death, which is what happened for instance in NASCAR, where there's so much debate that technology was frozen, and engine technology of the 50's was made mandatory, with an absolute prohibition to implement more evolved technologies. But that is not the only option, it's also possible to continuously work towards striking a balance between pro and cons, just to make things better in the larger picture, like Formula 1 for instance, where technology has evolved and hybrid engines are used with latest energy saving technologies.

The same goes for computing soft- and hardware. You can debate any kind of progress to death and hang on to 30 year old expensive and useless closed source operating systems that you can't see the unsecure aspects of, which is also known as "ostrich policy", or you can face the music, and accept that software has bugs, and set up mechanisms to counteract damage from those bugs, by open sourcing the code, by implementing second line of defense security features like MAC's and RBAC's, by building an aware and capable open source community that can solve problems at an incredible pace and with deadly accuracy.

Using powerful machines, whether cars or computers, is a task that requires responsibility by the user...

The more famous a system becomes the more viruses and malware you are going to see for it. No system is secure. BUT: 

An open OS that has matured over the years has far fewer holes and bugs that can be exploited, the community has constantly the power to check the security quality (which a much more efficient way than closed QA) and fixes in an open environment are easier to make and faster since its not the right and responsibility of just one stakeholder. 

Additionally a open product gives no incentive or ability to hide a flaw as opposed to a closed product under a company's sole control.

I trust hardened Gentoo against anything else that is out there.

+1 Great post.

+1

Gentoo is awesome, however I've never used anything like it until now (Sabayon) as I'm blind (sort of).

Nope...

- GNU/Linux distros are based upon the Linux kernel. The Linux kernel ensures the hardware compatibility. Samsung is actually a major linux kernel contributor, because they shell out a lot of hardware. Samsung has no interest in providing closed source hardware compatibility only, they have stopped selling x86 hardware in several markets (like the entire EU for instance), and focus on linux-based computing hardware (Android and Tizen are but linux distros after all). The GNU/GPL licensing of the linux kernel, prevents anything based on the linux kernel being closed source, unlike for instance BSD, which is used by Apple to provide a mainly closed source OSX and iOS operating system.

- There are much more "average consumers" that know how to use linux distros than there are average consumers that know how to use Windows. There are over 2 million linux devices for personal computing purposes activated every single day. In comparison to the market penetration of linux as a whole (including cars, alarm systems, medical equipment, household appliances, multimedia devices like smart TV's, PVR's and settop boxes, parking meters, energy control devices, access control systems, HVAC control units, etc etc etc... which all run on linux), the market penetration of Windows is almost non-existing. The difference is that linux - because it's open source - provides such a broad scale of completely customized super easy to use applications, that people don't even notice it's there, because the user interface is so incredibly intuitive and reliable. People already know how to use linux as soon as they know how to make a phone call, put empty bottles into a caution calculating bottle recycler, or use an elevator. That is the strength of open source and linux, people just automatically learn it without having to struggle with anything, even without knowing what exactly they are using.

- Security in linux goes much further than first line of defense stuff. In open source, bugs are taken very seriously, they're given names like hurricanes in meteorology, they're patched in mere hours, etc... BUT... most of these bugs, like Heartbleed or now Shellshock, pose a very low to non-existing security risk in real life, because there are multiple lines of defense in linux, and the chance of even getting root access through a leak in an application enabling anyone to do real damage, are really small, because they also have to pass the firewall or get local access, and they also have to get through the MAC and RBAC of the linux system, which is much easier said than done. It has been proven that even on a completely unconfigured and fully exposed system, Shellshock couldn't do any damage to a system that was running SELinux or Tomoyo or GRSec. On top of that, Shellshock is only relevant in exposed systems (read: public access servers), and most of those these days are entirely virtualized setups, where - even if you get in an can execute a malicious payload - the net result of the operation will be very thin or non existing, and it's much more dangerous to even try something against a linux server, because all the tools are there for network forensics, leaving a VERY small window of opportunity for attackers, and early detection and attack analysis almost always leads to early detection and identification. Notwithstanding all that, the open source community isn't complacent at all with that in mind, they take every single bug or possible attack vector these bugs might created, very seriously, and everything is always out in the open, there is no way to hide anything, and every bit of code has the name of the developer and maintainer on it, so there is no way to hide...

- The only thing that poses a relatively real security risk in linux, is the speed of the evolution. Linux evolves at such a murderous pace, that beta software - even though exponentially more secure than even the most stable closed source products - should only be used in a secure environment, by people that know what they're doing. This is well documented, the repos for development stage software are kept separate, and there are clear warnings in the documentation provided with these development stage software packages, and here also, the more people that use it and parttake in the testing, the better the debugging.

The company I'm working with built our operating system from assembly up. So, we are pretty confident in it. Then again it isn't for home use XD. But pretty impressive none the less.

Wow... Great post.

+1