As far as linux goes, well, it isn't perfect (nothing is), and it would be an oversimplification to say that it eliminates the problems of getting your system infected by malware at the drop of the hat.
But to a very good approximation (i.e. is is much more true than not) it is really true that it offers you those protections as close to reliably as almost anything else can and certainly better than MS Windows!
For many years you do have available things like mandadory access control systems like SELinux as free upgrades to LINUX, there are a few variants of that sort of scheme and several implementations / extensions to actually configure and use it by default (in some ways whether limited or not) in various user oriented distributions.
https://en.wikipedia.org/wiki/AppArmorhttps://en.wikipedia.org/wiki/Security-Enhanced_LinuxEven the ordinary security systems like the basic unix permissions system and the ordinary login / password based security isn't bad. It isn't perfect but it is by no means "nothing". It also for many years has been able to use techniques like ASLR and data execution protection:
https://en.wikipedia.org/wiki/Address_space_layout_randomizationAlso it is a matter of the 'ecosystem'. Have you not read articles that stated how prevalent malware is in Android apps or also many MS Windows downloads? Where a high percentage of inexpensive paid and free apps are malware right from the start? And then look at the statistics for critical insecurities even in many of the most prevalent and most major apps for MS Windows. The crapware Adobe makes like Reader or Flash stand out as prominent examples. Almost a monthly never ending circus of critical vulnerabilities that were actively exploited for... decades. Literally. MS Office crap and their joke browsers et. al. not much better.
Then again look at LINUX. Yes, not perfect, yes, it does from time to time have critical vulnerabilities in the OS or core GNU components or the applications. But compared to MS Windows? Please. No comparison. As the fellow said above UNIX stuff has in some large part originally been made by engineers for engineers. Many of those authoring engineers actually having deep philosophical mistrust for the insecurity and unpleasantness of MS Windows software. So they made ALTERNATIVES to Adobe Flash, internet explorer, Sun/Oracle JAVA, Adobe reader, MS Office, codecs, movie players, audio players, etc. etc. Yes typically such "linux app software" has had a lot worse record of vulnerabilities than the "core UNIX OS" components. But overall over the past couple of decades you just don't see anything like the rate and severity of critical vulnerabilities in the UNIX apps than the MS Windows ones. Again, look at the track record for Adobe Flash and Adobe Acrobat Reader and MS Word. Non stop disaster multiple times per year always some new critical problem. And that's SW that is put out by multi-billion dollars valuation companies with teams of hundreds of professional programmers. The UNIX alternatives put out usually by 1-20 core amateurs working as a hobby unpaid more likely than not.
And the UNIX versions usually worked better and were more secure.
UNIX "always" has given you plenty of good and generally free solutions for important things like:
* Authentication security (e.g. PAM)
* User security (it actually is a proper multi-user system with encouragement to have all services and system functions partitions into totally different logins each with only the access it requires to other programs and the system resources).
* Extensive logging / auditing (syslog, etc.).
* Excellent backup and data integrity protection / verification tools.
* Filesystems that don't completely suck. :)
* Excellent update / package management options in most common distrubutions.
* Excellent transparency (open source, open development processes) / community auditability etc.
* Network security (all kinds of things like IPSEC, SSH etc.)
* Industrial strength network / system monitoring and intrusion detection tools.
* Fully user controllable system "attack surface" to the point where you can easily strip a system down until it does one thing and only that one thing all the way up to having any subset of any given services / applications you want enabled and nothing you don't want.
* Extended domain isolation solutions (containers, VMs, chroots, jails, ...)
* Industrial strength network routing and firewalling built in to almost the most basic installations (IPTABLES, et. al.)
Ultimately though if the USER is in CONTROL of the SYSTEM then it is a losing game. If someone is stupid enough to "just click ok to anything", "believe anything" then of course in short time they can be convinced to self-install malware because some web site promised them a funny joke or dancing monkey or cute cat video or free game or something.
But assuming some basic IT sensibility and literacy is required to have the competence to administer ANY computer with a bit of wisdom, UNIX gives you all the tools you need to have anywhere from industrial strength security to a "totally open" unsecured PC, your choice.
The difference with MS windows is that:
A: You DON'T (to a good approximation) have the tools to configure / control / administer your own system even if you had the knowledge and will to do so. Yeah maybe if you're running windows enterprise server they give you more of that. But look at what they nerfed in the home editions of the OS in Win7 and above vs. the Server/Enterprise ones. You don't even HAVE administrative control over most things.
B: The base distribution is for the most part (Win7 and above, particularly Win8/10) is pre-infected with spyware/malware that you don't control.
C: You can't meaningfully strip unwanted attack surface out of the system beyond a certain point.
D: The crapware Microsoft and others publish for the OS is often just that, crapware that is too dangerous and actively user hostile to trust. Again, Flash, Reader, etc. etc. long history.
E: They actively limit you from having access to good open software alternatives in applications on these increasingly "walled garden" user lock in platforms.
F: At the end of the day it is not a "multi user" (as in simultaneous) system and inherently is an expensive system to deploy. On LINUX you can pay $35 or whatever, buy a Raspberry PI, and you have a *dedicated* LINUX machine. Maybe you use it to do all your banking or whatever is secure as a physically air gapped distinct computer from your "ordinary PC" you use to play video games or whatever. Or maybe you just spin up some different purpose VMs for such partititioning of secure vs insecure use activities. You can't cheaply do that using MS Windows both because of the system requirements and the OS licensing and administration setup doesn't make it practical. LINUX option makes it easier and cheaper not to put all your eggs in one basket.
G: The filesystem and backup utilities are beyond a useless joke in MS Windows. Now for $100 cost you can buy a simple hard drive that gives you capacity to store more information than is contained in a large sized library worth of books. Enough room almost to store your entire life time's of records and information on except for high quality videos. A key part of protecting your information security is making sure it remains accessible to you with integrity. But you CANNOT do that at TByte scale on MS Windows. Full stop. You don't have the management, administration, organization, access, access control, backup, filesystem and other tools to even begin to do so sanely and scalably. Although UNIX isn't perfect in these regards, again, it is the thing that is being used in places like libraries, data centers, et. al. for these purposes. Anything less is just a toy.
So yeah no matter what OS you run (with only a few exceptions you would not use) it isn't going to MAKE you secure unless you obey the computer not the computer obeying you. But LINUX givex you enough tools and choices to "easily" (by sysadmin standards) have industrial strength reliability / security.
If you choose not to do so you are only shooting yourself in the foot by ignorance or laziness.
In a meaningful way you don't even have the OPTION to achieve that level of security with MS Windows unless again you're some expert sysadmin running enterprise server cluster or something. Not even possible with "home edition".
Interesting thread.
Linux won't give you "any more security". Not unless you've configured SELinux properly, which you probably haven't. For example if there is a buffer overrun in Firefox then it can escalate quite happily to run execve() and piss all over your user account unless it's in an SELinux context which allows access to only the files and network sockets that Firefox needs to run. Once your user account is compromised then it's game over either way as that's where your data lives which is the highest protection priority on the system. The main reason to run Linux is "functional idempotency" which means every time you get it to do something it does the same thing, and does it pretty damn quickly, unlike certain monolithic lumps of poo from Redmond. Oh and it's free.
Really:
1. Use linux but don't assume it's any better for your security, mainly just your sanity and productivity. Most of the attack vectors are still there but just not exploited routinely.
2. User diligence is more important than safety nets.
3. Make sure you can move everything you have off the cloud in a snap if you have to.
Home
Help
Search
Login
Register
Topic: Microsoft wont let me in my email anymore (Read 969 times)