FullOppositeRudder

I'm not sure if this deserves a new thread or not, but it almost seems like a topic in itself.

On another thread there have been favourable reports about Linux - specifically Linux Mint. At the suggestion of llondel (there is a PM for you) and others, I've had a look at it from boot CD option. It has possibilities for 'safe' internet work - perhaps .....

One nagging question remains (well several actually but one to start with). Wherein does the perceived "safety" of Linux (or - dare I suggest it - a Mac) lie?

Is it simply that they are used in relatively small numbers across the globe, and therefore the propagation of an attack will most likely starve for targets and unwitting victims?

If so, is it possible that if the number of users grows to a "worthwhile" critical mass, that it could be just as vulnerable to online cyber attack - with all of the graphic horror we are promised if we stay with XP ?

Thoughts appreciated.....

Saab Dastard

To some extent you are correct that the smaller user base of Linux and Mac OS makes them less attractive targets for attackers.

It's my belief that the Linux user base is a good deal more technically (and thus security) aware than the average PC user, so it is hard to see an increase in Linux use equating to greater opportunities for attackers.

I wouldn't say the same for Mac users, however - that's not having a go at Apple, just that the Apple ethos has always been about using their products, not having to understand them.

Also, I believe that Linux is inherently a more secure architecture than Windows.

Here's a useful article on the subject: Overview of Linux Kernel Security Features | Linux.com

But it's all too easy to be complacent.

SD

rh200

There's a few people on this thread who are far more qualified to answer than me, but.

I use exclusivly Linux, at home and for research, basic numerical modeling type stuff on clusters. It's the fundamental design of the system, (based around a Unix model I think) that makes it safe. That said, there are things you can do to make it unsafe. There are known risks out there for it.

As for the small target scenario, yes that is most likely a factor to a point. There's nothing like having all the attention and effort focused on one system type to be able to bring out any possible vulnerabilities.

llondel

Compared to XP, where most people tended to set up their account as an administrator, a Unix-like system (which includes both Linux and Mac) is normally configured with a fairly rigid partition between the root account and a user account, so a malicious payload wouldn't be able to modify any critical system files. It might compromise the user account if the user had a few executable files in a local directory, but not the system. There are exploits that can give an escalation to root privilege but they're not common and usually require local access to the machine rather than a dodgy email.

Part of the perceived safety is simply because there are a lot less bits of malware targeted at the less popular operating systems. There's also the fact that much of the Linux ecosystem is available as source code, and has plenty of peer review which makes it harder to smuggle something in.

Windows is vulnerable because it tends to try to make things easy for the user, automatically performing tasks to save the user from having to do them. Most of these have been subverted at some point, where the user thinks one thing is happening when in actual fact a malicious program has been started which may eventually get around to doing what the user expects to see, but will first set itself up to do nasty things. Windows 7 is a big improvement on XP, because Microsoft got its ar*e kicked over poor security and got its act more together.

mixture

Not quite my dear Saab... remember, OS X is just the pretty GUI... BSD is behind it !

First, open vs closed source has absolutely nothing to do with it. Its all in the security model....

The overall perceived safety of Mac and Linux can be assumed to be reasonably similar because Linux distributions are based on the Linux kernel, and Mac OS X is based on the BSD kernel and the open source Darwin project (only saying open source here because many people don't realise just quite how open source OS X is !).

Both Linux and BSD based operating systems have a great deal of inherent security and stability going for them.

The reasons for this are many fold, Linux and BSD are well established projects that have been going for a number of years and have always had a degree of security focus (BSD more so than Linux, which is more feature driven).

Apple have actually brought a number of security enhancements to BSD and also present within Darwin. Some indirect, such as their Objective-C programming language helping to enforce best-practices in safe coding down to various OS level enhancements. Apple have also always been heavily security conscious, unlike Microsoft which only really took note and understood change was needed after the Windows 2000 debacle.

So if we wanted to make things simple, we'd say its (Linux+Mac) vs Windows ..... rather than Linux vs Mac vs Windows, because in reality Mac really isn't any less secure than Linux .... in some areas Mac/Linux may well be more secure than Linux/Mac , in other areas Mac/Linux may well be less secure than Linux/Mac... but as it's all Linux/BSD based, its changing all the time on both sides. Hence you should be really comparing "Linux/BSD kernel based operating systems" vs Windows and don't get yourself lost in the details which are likely to be obsolete by time time you've figured it out.

Microsoft obviously have a larger customer base which makes them an attractive target, but I don't think that's necessarily the only reason for the larger number of exploits.... I think it also comes down to the fact that Microsoft have traditionally been an easier target to exploit (single-user model, monolithic design, large reliance on RPC calls etc. etc.).

To give them their due, in the post-XP era (i.e Vista onwards), Microsoft have made some inroads into changing their fundamental security model. Its a long task ahead of them, they're a corporate behemoth and its a gigantic codebase, its going to take time. But as others have pointed out Windows 7 onwards already does carry many serious security benefits that you won't find in XP or below.

In the end though, if the end-user is a moron and clicks and opens anything in sight, fiddles around with settings without knowing what they do, etc etc. then it really doesn't matter what operating system you give them.

Saab Dastard

Mixture, I was speaking of the users, not the OS!

I'm well aware that OSX is a UNIX derivative.

SD

cattletruck

Indeed OS security is only as good as the user's understanding. Most users just want it "on" so they can get on with things and often don't understand the consequence of bypassing a security measure to get a task done. Generally I have found OSX to be the best at managing its own security for the unaware user, Unix/Linux requires a deeper understanding of security for the unaware user and often a visit to the command line and vi editor. Windows is getting better with some impressive improvements of late but these aren't in the mainstream conscience yet.

You could argue that all three systems above provide good enough security with the weakest link being the end user. The common x86 architecture has allowed malicious payloads to be carried in obscure software, or even injected during a download. The diligent users would only choose reputable software vendors and always verify their software (md5, certs, etc). For everyone else it's a game of chance regardless of the OS used.

Most Unix/Linux security failings that I have seen have been the fault of poorly written third party software like CMS tools (WordPress is known as Hacking101 in *nix land), and there used to be some beauties in the olden days like:
Running mknod on tmpfs in Solaris would cause a kernel panic
Setting up a cron job to unlock a compromised account was a common hack
My favourite #include "/dev/tty" even won the code obfuscation competition.

Unix/Linux wont be the panacea for solving all your security issues unless you have sound technical knowledge to deal with them. If you don't have the time or inclination to learn it all then look at OSX first then Windows.

mixture

Indeed, I wish more developers would provide hashes & certs.


Good summary.

You have to remember where Linux/Unix came from, primarily intended for use on servers and all taken care of by one large community of coders. You have to remember that everything is a separate software package coded by different groups of individuals, all just handily pre-compiled and distributed for you in one friendly package. The user interface is just another package, perhaps with a few custom "themes" to match the Linux distribution colours.

Whilst OS X does have open source behind it, you have to remember a lot of that code came from Apple are ploughing R&D money into developing and maintaining it with whole armies of coders.

Hence the more polished look and feel of OSX, as well as the additional behind the scenes technical enhancements. Apple have integrated it all very well indeed.

Of course, OS X provides you easy access to the command line too. So you get the best of both worlds essentially, which you know will never be there because of the way Linux distros work.

I've tried the latest Ubuntu desktop.... OS X is way better for the very reasons given above about lack of integration which you know will never be there because of the way Linux distros work.

Saab Dastard

I just had to drop this in here: What if Operating Systems Were Airlines?

SD

Mac the Knife

Excellent summary from mixture



While I am not a Windows fan (I use Macs, several flavours of Linux, BSD and Solaris), it is worth pointing out that Windows CAN be locked down pretty tightly by means of proper security policies, ACLs, firewall rules, VPNs and audits.

The problem is that out-of-the-box, Windows is very loose (to prevent user grumbles) and most people leave it that way.

Mac

izod tester

CESG has also come out fairly positively about Linux - specifically the Ubuntu distribution.

See: UK's security branch says Ubuntu most secure end-user OS | ZDNet

mixture

We'll never hear the end of it from the Ubuntu marketing bandwagon !

I hate stupid headlines like that.

If you look at the charts, OS X didn't exactly lag far behind Ubuntu. The only difference was very minor, and was in the Device Update Policy section ("orange" instead of "green"... their marking needs more granularity !!) , so not really of much importance to home-users and I'd need to read the detail to see what the exact detail was as far as businesses was concerned.

Furthermore, Device Update Policy is a management evaluation criteria, rather than security evaluation criteria.

If anything, all that document does is confirm my earlier point made that Mac was as secure as Linux for all intensive purposes. But then I already knew I was right anyway !



(Edit to add: I've dug up the detail, their marking down of OS X from Green to Orange under Device Update Policy was down to "The enterprise cannot force the user to update their device or software." ..... Apple have been steadily improving their Server software, so I suspect policy enhancements were already in the works long before this publication)

llondel

It's also worth pointing out that for some jobs, doing so makes things a right pain in the ar. If it's someone in an office using a defined set of applications then yes, Windows can be good, in that it's easy to manage centrally and roll out upgrades while preventing users from installing their own stuff. I worked at one place that by default had everything locked down like that, but the development team were forever asking IT to allow this, that and the other because we needed all sorts of things to do our job. Eventually they granted admin rights on the machines and told us to tell them what we'd installed and that we were responsible for the consequences of anything bad.

Quote:

"The enterprise cannot force the user to update their device or software." .....

Which is one of the biggest irritants of any of these auto-update schemes that require a reboot to complete. You leave the machine on overnight logging data, only to return in the morning to discover that it rebooted at midnight and you didn't get most of the data you wanted. I'm happy for the machine to tell me it's got updates to install but the job gets done when I'm ready for it.

The other irritating thing with Windows is when you do need a reboot in the middle of the day and it declares that it's got 60 updates to install before it will reboot and takes three hours to do it.

mixture

Hehe ...

Or when someone thinks "I'll just quickly shutdown my Windows laptop and dash off" .... only to encounter the "installing update 1 of 1000000" screen !

(Yes I know you can shutdown without it if you know where to look, but the default option is to install updates)

rh200

Or you just get a 1000 clicks in the middle of nowhere, log on with a sattellite link. and your screwed. Or your near the very end of your monthly allowance and ..... Or Or Or. F@$$ windows.

HowardB

A few thoughts.

1) Security
Systems that are inherently designed to restrict access are more secure than open systems such as Windows XP. Programs that are shared across systems such as Java are continue to be a major source of problems for all of us.

2) Portability of Data
If a software package ceases to be supported or develops it in a direction a user does not like (for example the classic word processing program Wordperfect is no longer available) or locks you into their hardware ecosystem as a user (Apple) you have a major problem. With Open Source this has not been an issue as the original software remains available and it can be updated (forked) by anyone who does not like the new version. Linux Mint is a fork of Ubuntu when a lot of users did not like the latest Ubuntu interface.

3) Hardware drivers
Linux drivers are available as free downloads from most, but not all, equipment manufacturers & from independent groups. Support for older equipment tends to be better in Linux than Windows as the Vendors only tend provide software support for current hardware and operating system

4) Licencing
For me by far and away the most important issue. I read the full MS licence when I purchased DOS version 2 many years ago and even back then you had no rights at all. You give the supplier hard earned cash and they permit you to run their software only how, where and when they allow, but entirely at your risk. Open Source Software allows you to do anything you want with the software except that you must allow anyone else to do the same to any software you develop that includes it.

5) Updates
Windows is a pain when updating, particularly when compared with Linux. I receive Linux updates every day or two which are installed entirely in the background. Very, very, occasionally there is an update to the Kernel of the system, which requires a reboot which I leave until I next shut the system down. It takes no additional time to install the Kernel update over a normal shut down and restart, so no time wasted while it shuts down or restarts

6) Media Support
DVD's play in Linux, but as there are issues relating to the licence it is not legal in all countries. I only play legal DVD's I own to ensure that I keep within the spirit of the Law, but it does allow you to copy them onto your system which is illegal in most places.

7) Future
Most Linux software is written by people employed by major companies to write Linux software - IBM, HP, Microsoft (!) etc. It already runs 99.9% of the world's super computers and through its Android derivative is the most used single consumer operating system in the world. Much, if not most, of the internet companies use it so its going to be around for a long time

I can strongly recommend Linux, unless you have some very specific software, eg Games playing, that can only be run on a particular operating system.

Cheers from a SLF

Mac the Knife

Well Sh_ee_it!

Never thought there would be a time when I was defending Windows...

First of all: Windows Update:

You can set Windows Update to download updates but let you choose whether to install them.

You can also set Windows Update to install updates on whatever day of the week you choose and at whatever time you choose (say 0300 hrs)

Windows Update releases once a month (Patch Tuesday - the second Tuesday of each month)

With an up-to-date system there are rarely more than 3-7 updates which take 10-15 minutes to install.

So bull**** to that.

As for locking down Windows being a PITA for some users, bull**** to that too unless you happen to be a dev in which case you might reasonably be expected to have Admin rights over your own machine.

At the risk of being boring, Sudo for Windows allows you excellent control for elevation of user privilege and Windows itself can be very easily tuned to be minimally intrusive for specialist users without giving them Admin rights.

I'm set up to run as a special user, with a few limited rights that the ordinary user would not have. Maybe because I'm used to Unix, but having to su to do critical things is just normal for me - just as it should be for everyone.

Od course I can login as root/Admin if I really need to, but most of the time you just plain don't - as any Unix person would tell you.

So bull**** to that too.

Windows can be well secured with minimal initial effort - so don't whine if you run as Admin the whole time and end up getting pwned!

Mac

mixture

Sometimes I think devs should not have admin rights over their machines, that way we might finally start seeing certain software that runs correctly without requiring admin rights.

Mac the Knife

"..that way we might finally start seeing certain software that runs correctly without requiring admin rights.."

Amen!

But most modern user software (surprising how much, apart from system orientated utilities) runs just fine on a standard user account in Win7 and above.

People just have to wean themselves off doing their daily farting around as quasi-root in Windows - it is an invitation to malware.

No *nix user would dream of doing so.

Mac

llondel

I think this is the booby trap alluded to above when you innocently try to reboot or shut down the system. If you're not paying attention, you miss the correct option of "do it right now" and end up with the default option of "once I've installed this lot".

Win7 is a lot better than XP regarding admin privilege and general locking down of the default security.

Yes, that too. I admit to being caught once, in that I was asked to write a program that stored a bunch of stuff in the registry (so the user couldn't easily manipulate it). This was fine on XP but then MS seem to have properly restricted write access to the registry and it didn't work on Win7. Linux never had the concept of a registry, it's all done with random text files so it's easy to look for a per-user config. That seems to be the new MS model now, too.

I remember back in the day thinking that the MS devs should all have been given weedy machines to work with because it would have given them more incentive to make the code efficient and run at a decent speed.