Why Linux is better than Windows or macOS for security

That discussion could circle around for years, but I seriously have to suspect that if either of those would somehow reach a 90% market share, all of the undiscovered holes would be found very quickly. Security by obscurity is a thing. Just not a good thing.

 

Yes exactly, just look at all macOS. Now that it's becoming more popular, more and more holes are getting found. Also, there were two major hacks on companies that used Linux servers in the last months, malware could operate quite stealthy before being discovered. And these are attacks that we know of.

A lot of attack techniques that work on Windows, also work on macOS and Linux, just look at the MITRE ATT&CK framework. Of course this doesn't proof that they are just as insecure as Windows, but still. BTW, in the upcoming Pwn2Own contest (May 2022) they will try to hack Ubuntu, macOS and Win 11.

https://www.zerodayinitiative.com/blog/2022/1/12/pwn2own-vancouver-2022-luanch

 

Mac is around 7-8% of the market share. It's not becoming that much more popular. Linux is significantly less. There is a really obviou$ reason why AV companies, that once catered predominantly to Windows users, are now trying to flog their products to macOS and Linux users. You can either see this or you can't.

 

This may (or may not) be of interest to some.

https://www.cvedetails.com/top-50-products.php

And this from June, 2020:

https://www.techradar.com/au/news/w...ulnerable-operating-system-its-actually-linux

 

Whole Debian vs clean install of Windows? It is apples vs oranges comparison. Debian has whole repository of software for server and desktop purposes etc Standard install is only a tiny bit what repository contains.
Even then just scroll to bottom of page of your first link. Look at highest column: it is for Microsoft. Microsoft has over 20k CVEs while whole Debian below 6k.

 

AppArmor and Firejail are very solid sandboxes. But there is never a 100% guarantee - and this is also true for any security tool in Windows.

As mentioned earlier, Linux desktop systems are not under attack (contrary to Linux servers). That's why most people don't use Firejail, and in AppArmor only a limited number of applications are confined by default (unless you create your own profiles). But again, those technologies are readily available and could be easily implemented on a larger scale once this becomes necessary.

 

Right. The Debian repositories include about 40,000 packages for nearly every purpose. Counting the vulnerabilities for those packages and comparing that with a "naked" Windows installation is utter nonsense. Besides, vulnerabilities in Linux are always published. I'm not sure if this is also the case for Windows where Microsoft probably also fixes bugs internally without necessarily informing the public.

 

As usual, I'm eagerly awaiting the results of this contest. No doubt the hacking attempts will be against vanilla installations of the OS'. I'd really also like to see these attempts against hardened installations of these same OS'.

As for which is more secure: Windows or Linux, I believe this is all so overblown, at least for the typical home user, because most of these end users are getting infected by happy clicking on malicious email links or attachments, visiting dodgy websites with no browser hardening in place, or installing cracks. If Linux was the dominant OS in the home market, infection rates would likely be about the same as they are for Windows users. Who knows, maybe even higher, but even if that were the case, it would be largely because of - just my opinion - reckless behavior by the home end user.

I use Linux along with Windows because:

1. It's a learning experience. Kind of like learning another language, exercising the brain.
2. Some gratification in knowing something about another OS, and not just Windows.
3. Updates apply so much faster than in Windows, usually never a reboot required.
4. Boots and loads to the Desktop much faster than Windows. Other's mileage on this will no doubt vary.
5. Telemetry is far less an issue than in Windows.
6. It serves my home needs equally as well as Windows does, without sacrificing anything.

For work, my employer provides me with a Windows COE device.

 

@Krusty

Also it is important to note Debian was begun in August 1993 with first stable release in June 17, 1996. You can not fairly compare it with Windows 10 that was released in June 29 2015. One should add all non-duplicate vulnerabilities from Windows 8, 7, Vista, XP and so on up to Windows 95.

 

You do realize that browsers on Windows are also making use of sandboxing right? But I understand what you're saying, in Linux this stuff can perhaps be more easily applied to most apps. Microsoft also tried this with AppContainer but in practice it's probably too hard to redesign most Win32 apps to AppContainer. But that's the thing, only apps that are easily exploitable should normally be running sanboxed. But you didn't answer my question, if someone is getting tricked into running ransomware on Linux, how would it protect against this?

The reason is that in the latest succesful drive by attacks on macOS, built-in security like Gatekeeper and XProtect were easily bypassed, so no wonder these companies are now trying to make a few extra bucks. But if third party security would have fared any better remains to be seen, that's a different discussion.

 

This is actually quite interesting. I noticed that in 2021, the macOS has got more code execution bugs than Windows 10, and these bugs are also rated quite highly. So the next question is, how easy is it to actually exploit this stuff, without this information it's difficult to make a fair comparison.

 

Exactly, the thing that we need to remember is that most of the vulnerabilities in Windows aren't even remotely exploitable AFAIK, at least not on home user machines. Also, exploitable apps like browsers already make use of sandboxing which has made things even more difficult for hackers.

And yes there's lot of malware available for Windows, but just like on any other OS, hackers will first need to either trick users into running malware or they should try to exploit some vulnerable app like the browser. After that they will also need to bypass first party security like Windows Defender and Windows SmartScreen. Just like how on the macOS they would have to bypass Gatekeeper and XProtect.

 

No, that's the specious reason. The real reason is that MS now has an effective AV bundled with Windows and has addressed many security concerns. Mac OS has always had occasional vulnerabilities that needed to be patched. It's nothing new.

Third party AV companies need new customers. So they create them. They know many people are taken in by FUD. Luckily, I'm not one of them. Some people are easily fooled or frightened. It's one of the oldest tricks in the book.

"All warfare is based on deception" ~ Sun Tzu

 

This is also the case in Linux - see here, e.g., for Chrome/Chromium (and similarly for Firefox). I was talking about AppArmor and Firejail which additionally confine (not only) browsers. Which means that those already sandboxed browsers are running in another sandbox (which not only sandboxes the renderer but also the broker process and, hence, protects agaionst flaws in IPC).

That depends. How is a Linux user assumed to run ransomware? Since the repositories contain thousands of trustworthy applications there is hardly a need to download software from some bogus 3rd-party sources. If you download a malicious script you have to explicitly make it executable first. And if you want to install something that can seriously harm your system you need root (=admin) permissions. That would mean game over, indeed, although some security mechanisms like AppArmor or SELinux could limit the damage to some extent. So the probability that a Linux user executes/installs malware is very small (and if it is about malicious documents/images whatever it really depends if the relevant applications are sandboxed). Another story is Linux servers: they have to have open ports (otherwise they wouldn't be servers after all), and if something is misconfigured, weak passwords are used or the system hasn't been updated in a long time an intruder can cause serious harm.

 

Excellent point you bring up. There was a member of these forums, who unfortunately left years ago, who tried to hammer this home over and over again, probably beating his head against the wall trying to get this across to both Windows and Linux users. I created a script which I run sometimes when I want to clear syslogs:

Code:

#!/bin/bash

sudo truncate -s 0 /var/log/syslog

...which I had to make executable and give ownership to myself to run it.

 

Isn't it so, that a script can already be executable when delivered in a .tar.bz2 or .tar.xz file?

When I compress scripts for backup and unpack them later, they are still executable.

[Edit]
When downloading the VeraCrypt generic installer from here and extract the veracrypt-1.25.4-setup-gui-x64 shell script, it is executable.

 

You are correct. Although for Access Permissions I have "Can Only View", so at least sudo elevation is required to start the Veracrypt installation process. Interesting!

 

To keep the syslogs at a minimum, read this:
https://easylinuxtipsproject.blogspot.com/p/clean-mint.html#ID11

 

Thanks nicolaasjan!

I run the script sometimes for the sole purpose when I'm log profiling (logprof) an apparmor-enforced application. That said, there are likely many logged events which I'll never need, so that link is worth checking out

 

The password requirement is in the script itself:

 

Some Linux malware like EvilGnome make use of this type of installers (a self-contained Makeself file):
https://nakedsecurity.sophos.com/20...alware-aimed-at-your-laptop-not-your-servers/

 

The script is initiating the password or the fact I always require sudo to install a package or updates and other similar tasks requiring sudo is initiating it?



As for the EvilGnome malware, would sudo be bypassed when the backdoor is installed?

 

When a package wants to install in your /home/user directory, then there is no password required.

So it won't ask for a password...

https://www.bleepingcomputer.com/ne...door-spies-on-linux-users-steals-their-files/

https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/

https://www.youtube.com/watch?v=3i7fXe1bWyU

 

Okay I see what you're saying now. Thanks!

 

A valid argument for security. Also a valid argument for why it is too hard to use for many. Probably the same people that would get tricked into running it in the first place. I won't pretend to have the answer on how to bridge that gap. Trying to convince people to use Linux is not an OS problem, it is a people problem.