domingo, 26 de julio de 2009

Are we too naive by believing that GNU/Linux is more secure by design?

Hi!

I've been wondering for the last couple of days about the proposition that I use where I state that GNU/Linux is far more secure than Windows among other things because it's designed to be so (a real muti-user OS by design, real Networked OS by design, etc) plus other customs that we *NIX users have like not using the root account to play Frozen Bubble and so on.

Now, there are people that say that it's just that GNU/Linux is less attractive to malware software because there are so few of us GNU/Linux users. I have always thought that this is crap but anyway....

Now, think about the things that FLOSS developers get to do:
- Crack encrypted DVDs
- Allow for communication between Microsoft Windows hosts (with a twisted SMB protocol) and *NIX hosts before Microsoft (reluctantly... but with a lot of PR spin, as usual) released the documentation about it
- Synchronize with iTunes
- Running GNU/Linux on basically any piece of equipment worthy of running it (with or without support by the vendor).. and some others that aren't worthy but....
- Brake every DRM mechanism ever built

And the list goes on and on. No matter what the developers wanted to restrict, there has always being a way to crack it.

Now... if FLOSS developers are able to do basically just everything they set themselves to do, wouldn't it be possible that malware developers will get get to do the same with the security barriers set on a GNU/Linux (or *NIX for that matter) no matter how hard we try to restrain them?

I just wonder

11 comentarios:

  1. Some of the main reasons for security in linux is lack / forbidding of autorun, absence of registry. All things in linux are based on files. Even for adding a hardware and updating in kernel it looks for file named "modprob" with proper permissions. So there are only two conditions.

    Check file permission
    if (owner + conditions satisfied) {
    execute as the owner alone
    } else {
    do not execute
    }

    simple. So even if there is some problem, only the corresponding file or things associated with it will be damaged and our data will be secure.

    ResponderEliminar
  2. Policy kit exists because root user alone is not classed as enough.

    Selinux exists because simple user based are not classed as enough.

    Basically higher level techs are waiting in the wings just waiting for presure to force there usage.

    ResponderEliminar
  3. I would be willing to bet, that there are MORE Linux users than Windows users. The only reason Linux 'supposedly' has 2% of the share is simple. You have to pay for and register every copy of Windows. Every copy sold and activated is accounted for. I can download 150 copies of Fedora 11 or Mint 7 today and not a single one of them will be counted.

    ResponderEliminar
  4. We're naive for thinking that average users can keep their systems secure regardless of the O/S. Most GNU/Linux distros have better security by default than Windows but if users don't understand risk (and most don't) it won't matter what O/S they're running. You can't just give users guidelines and expect security to prevail. Malware will simply be designed to appear to fit the guidelines. To keep a system secure, you have to understand; there is no easy way around it.

    Microsoft made it easy for people to use computers by keeping the details hidden. That works fine for disconnected systems but there aren't many of those around anymore. It's like not teaching kids to do anything (wash their clothes, brush their teeth, pay bills, buy food) and then at the age of 21 saying, "Goodbye, go live somewhere else." except that it's much harder to learn computer security.

    ResponderEliminar
  5. The security through obscurity argument doesn't hold water. Linux has a huge presence in server space, including a majority, I believe, of servers that host the web. Are we to believe that all of these 24/7 connected machines supported the whole infrastructure of the web are't an attractive enough target for crackers?

    ResponderEliminar
  6. Este comentario ha sido eliminado por el autor.

    ResponderEliminar
  7. Two Points

    The safety of not being able to run things downloaded from the Internet automatically is being taken away by improvements to the file managers and desktops, XFCE, KDE and GNOME. The smarter they become and the more files they can open with just one "click" the more danger we are in.

    It takes a lot of work to get someone to download a perl scritp, find where they downloaded it to, change the permissions on it, then at the command line invoke it. It takes a lot less work to have them "save as" to the desktop and click on it and force it to run even if it is not set to be executable.

    Secondly users will always be the downfall. Social engineering can trick users into doing things that are bad for them. Users for the most part don't want to learn about security. It requires to much under the hood knowledge. It would be like your car notifying you that the spark plugs need to be regaped, the break fluid pressures seems to be a few pounds to low and the brake disks have worn down another 5 microns. What does it all mean? Do I need to know this to drive a car?

    That is how most users feel about computer security. To be safe AND get done what they want to get done on line. They have to dig under the hood and learn more than they really want to learn. So they either become mechanics or learn to ignore the saftey lights.

    ResponderEliminar
  8. @Reed: I don't think comparing web servers to workstations holds water either. Linux web servers don't have the disadvantage of an idiot user sitting in front of them surfing the web with admin privileges and a penchant for clicking on anything that promises cute kittens or naked people.

    Linux has many traits that make it harder to crack than Windows; aside from the multi-user capabilities, the natural diversity between different distros is the biggest advantage IMHO. But even with a laundry list of security advantages, we can't expect that the demand for compromised computers will just "go away" if the world switches to a more secure OS. Botnets, identity data, compromised accounts and so forth are big money.

    When it comes to Linux's security, I don't think "obscurity" is the entire picture, but it's part of the picture. Windows is just the low-hanging fruit. It gets eaten first. But if Windows use declines, the baddies of the world will be no less hungry.

    ResponderEliminar
  9. You ask if Linux is more secure, but you talk about if it can be attacked.

    Of course it can be attacked, but surely it also is more secure.

    Banks may be more secure than a cookie jar for your money, but even banks are attacked.

    ResponderEliminar
  10. As a system admin, lemme as my take on Linux security.

    1.) The system you know best will always be the potentially most secure. If you know Windows, Windows will be more secure. If you know Linux, it will be.

    2.) The largest security risk on any system is the users.

    Seriously, when was the last time you saw a computer install it's own virus or rootkit or keylogger without user input?

    You can make the system as secure as you want, create as many seperations of super and non-super users you want, but if you give a user access to root, and convince him that he wants to install Program X (neatly bundled with rootkit or worm) then there is NO way to stop that system from being infected - period.

    So, in summary, yes, this "Linux is more secure than Windows" is false. Any system with users is vulnerable.

    ResponderEliminar
  11. It won’t be wrong to say that the IT sector has made the world stand up and take notice of the countries like India. India’s IT poweress is one reason why such massive deals like the Tata Chorus deal and the Hindalco Novelis deal could get shape and turn into India’s favor. Had it not been for the IT sector, there were chances that these multi million dollar deals would not have matured the way they have. http://www.infysolutions.com/resources/resources.html

    ResponderEliminar