Why Linux is better than Windows or macOS for security

You already know how I feel about this subject, don't get me started. But I thought it was still interesting to read.

https://www.computerworld.com/artic...etter-than-windows-or-macos-for-security.html

 

I don't doubt Linux is the most secure system. It's not surprising with its compatibility issues. Although the 57 people who use Linux worldwide (including me) have always claimed it's the most secure OS.

 

56. one being my great-grandpa passed away at 96 last month.
so, can we say the same for mobile oses that android is the most secure? absolutely not. ios is.

 

Sorry to hear about your great-grandpa. I don't know about Android or iOS. I guess you're right. I think Android has a lot of problems.

 

When Linux gets Microsoft Office you will know it finally made it and it will become a target. Probably as exploitable as any other.

 

it does. ios is much more secure and stable.

 

Probably. I think LibO have other plans though lol.

 

yeah. especially with so many different distros, security-wise it's nowhere near the macos.

 

When they make something to compete with Outlook they may get some user share as well.

 

I can't see it happening soon.

 

In other words, stop using an administrator access for everything and change it for a daily SUA account with UAC enabled.

 

The bottom line is that all operating systems are written by human beings, and human beings make mistakes and can not always anticipate every potential code execution path or vulnerability path. So they are all exploitable. Having said that, I would strongly suspect that all operating systems are quite a bit harder to exploit today than they were 10 years ago, so things are improving over time. Will they ever be perfectly impenetrable? Probably not.

I would say that many argue that Linux is "the most secure" because it can be hardened and tweaked the most. Some distros specialize in security and strongly harden things down. Those can be great for single-purpose servers, but they can also be a pain-in-the-ass or just plain unworkable as a desktop environment running everyday productivity apps for average-joe users. Linux has the freedom to be highly customizable based upon distro and intended use. Windows and macOS... not so much.

Both macOS and Windows have only a single "distro" (although Windows comes in "Server" flavors as opposed to desktop, and macOS / OSX did also once in the past). And both macOS and Windows have to cater to an extremely broad audience, with the entire gamut of users with varying comfort levels with technology. While Linux can still sort of be known as the "nerdy" solution that requires more effort from the user.

Nowadays, in many ways, it is not the OS that is the issue. It is the libraries and applications that run by default on top of the OS. So, for example, the most recent widespread vulnerability with the highest CVSS score of 10.0 (critical) is the Log4j vulnerability (CVE-2021-44228) that has caused quite a storm in the corporate and enterprise world. The flaw exists in a Java programming library, and since Java is cross-platform... in theory, it could affect Windows and macOS. However, in the real world, Log4j is largely a Linux/Unix problem or appliances built around customized/proprietary Linux installs. That's why I am not so quick to subscribe to the idea that Linux "is the most secure" as is commonly floated. Because Linux has a lot of application libraries that simply haven't been battle-tested as much as some of the others. For instance, according to Wikipedia this Log4j "vulnerability has existed unnoticed since 2013."

@Rasheed187... what did you think of the line from your article... Wilkinson flatly states that macOS X “is more secure than Windows,”

 

Just thought I would throw in some quotes from that Wikipedia Log4Shell page... and while it is technically a Java issue, it is in the real-world closely associated with the whole Linux, Apache, MySQL, PHP (LAMP) web development platform since it's part of Apache...

Experts described Log4Shell as the largest vulnerability ever;[8] LunaSec characterized it as "a design failure of catastrophic proportions",[5] Tenable said the exploit was "the single biggest, most critical vulnerability ever",[18] Ars Technica called it "arguably the most severe vulnerability ever"[19] and The Washington Post said that descriptions by security professionals "border on the apocalyptic".[8]​

It's comments like the above, coming from a vulnerability that has caused me some pain in my day-to-day job over the last 4-6 weeks that sort of sour me on the idea that Linux "is the most secure". Again, I get it, Log4j is not really a Linux vulnerability... although it's a bit hard to say that with a straight face when all of the enterprise systems we are remediating for it are Linux systems (as far as I know).

 

It's not Linux issue. It is not even a LAMP issue. Apache HTTP server does not use Java. Backend logic in classical LAMP stack is not written in Java (nor any other JVM language). Thus classical LAMP stack does not use Log4J.
It may be confusing, but Apache Log4J and Apache HTTP server have almost nothing in common aside umbrella organization.
I am using word classical, because we are living in the age of microservice-based backends, so multiple languages may be utilized for different parts of application. However it is rather unconventional to create mix of LAMP stack and Java microservices.

 

Yes, sorry, you are correct. But still, most of the systems we have been most concerned about in our enterprise appear to be Linux systems or custom appliances (e.g., Cisco networking gear) that make use of proprietary Linux operating systems. I'm not aware of any Windows or Mac systems (or significantly used Enterprise Java software running on those systems) that have been a primary source of remediations. However, I could certainly be incorrect in that statement... as I am not aware of all identification & remediation efforts. I'm sure I am wrong to associate it so closely with Linux. The java logging experts can tell me more precisely how it has been used throughout enterprise software and appliance markets.

 

The main reason I run Ubuntu and macOS is that I prefer them to Windows. The other reason is that I can run them without a 3rd party AV.

 

Quoted from the link in the first post:

I believe this applies equally to Windows. As for MacOS, I have no idea because I've never used it.

 

Based on my own experience, Windows can also be safely run without 3rd-party AV. The industry just makes it seem essential on Windows.

 

It can probably be done. If you know what you're doing. I don't lol.

 

Very funny You're only missing the fact that about two thirds of all webservers are Linux systems.

That would help a lot, indeed. Unfortunately, most Windows users don't do that. And they don't use the "max" setting in UAC which is recommended to make Windows more secure.

But this is not the only aspect that makes Linux more secure. There are many others like the large repositories that provide thousands of trustworthy open-source software packages for virtually any purpose (and keep them updated) making it usually unnecessary to download any software from potentially bogus 3rd-party sources. And there are, e.g., several security mechanisms like Mandatory Access Control (MAC - SELinux, AppArmor, etc.), namespaces, seccomp-bpf (used, e.g., in Firejail and systemd). There are no equivalents in Windows. Granted, those mechanisms are not that widely used as it would be possible. The reason is that, at least, Linux desktop systems are currently not really under attack. But the point is that that technology is already available, and if the attack scenario changes in the future it will be relatively easy to deploy it more comprehensively. And that is why statements like

are wrong. If MS Office should ever come to Linux it would be easy to sandbox it with Firejail or confine it with AppArmor like any other application.

Well, most libraries have been available for many years. And as mentioned above most webservers are Linux systems and battle-tested for a long time. I agree that open source is no guarantee that everything is secure (Log4J is only one example among many others). To be sure, Linux is not perfect at all. But is that a reason to believe that closed-source software - where nobody can check the source code and find hidden vulnerabilities - is any better/safer?

EDIT: I just read this article which seems to contradict what I wrote above. But it doesn't. Those IoT devices are often poorly setup, contain no security mechanisms and are usually not maintained and never updated.

 

Actually I knew that. Although I thought it was over 2/3rd's. I know the internet basically runs on Linux.

 

True, but the running joke is that "This will be the year of Linux on the desktop". Almost nobody (in comparison to other OSes) runs it on the desktop. The web servers are all someone else's job to maintain. Unless it's your job.

 

It reminds me of the joke about flying cars. They're always twenty years in the future. They've always been twenty years in the future, ever since cars.

 

And 100% of the top 500 supercomputers.
https://itsfoss.com/linux-runs-top-supercomputers/

https://www.quora.com/Why-do-nearly...U-Linux-is-just-one-of-many-operating-systems

Important reason (among a lot of others):
Kernel can be customized.

 

With 0% of those supercomputers being affordable by the general public. Choices only matter when you have one. Not to belittle the situation, it is an impressive achievement that does not apply to most of us.
I found these statistics interesting, and the article seems recent enough to be relevant:
https://hostingtribunal.com/blog/operating-systems-market-share/