I think this thread might fill itself. I am out dated at the moment with thoughts of OpenBSD
OpenBSD is at the top of the list. Next might be FreeBSD and then Linux. There are specialized distributions of all of them for maximum security.
Forget anything which is closed source.
OpenBSD is at the top of the list. Next might be FreeBSD and then Linux. There are specialized distributions of all of them for maximum security.
Forget anything which is closed source.
Agreed. I'm a FreeBSD user myself however I admire OpenBSD a lot, it's clean, functional, expertly designed with a focus on security and very easy to use. Sadly I'd miss ZFS and some other FreeBSD features too much if I switched.
Forget anything which is closed source.
Why?
Z/OS on a Z-series server hardware has much to offer in the way of security. It's not open source by any means. Being closed or open isn't a reliable guide to security.
It's a bit like asking "What's the best car?". The answer is, it depends.
Windows is quite often said to be "insecure" or "less secure than Unix/Linux/BSD" but nothing could be further from the truth. It all depends on how it's configured and deployed. The same applies to every operating system. Using Windows as an example, it's still used in Government organisations up to and including "Top Secret" classification.
Just about every operating system can be made to be insecure or vulnerable. It will also depend on the application; the more services you install and run, the more chances of an increased security risk. Then there is security of the hardware itself, for example: Who has access to the physical ports on the device?
There is no magic pill when it comes to cyber security. It's a multi-layered approach. I've spent many years studying and working in this industry and even my knowledge only scratches the surface.
Forget anything which is closed source.
Why?
Z/OS on a Z-series server hardware has much to offer in the way of security. It's not open source by any means. Being closed or open isn't a reliable guide to security.
Forget anything closed source because there is no possibility of verifying it or patching it and knowing it was verified or patched. (1)
That does not help with binary blobs and compromised hardware but it is a start.
Do you believe all of these various exploits in closed source products are accidents? I do not. And even if they are, you still have organizations like the NSA compromising things and then preventing patches so they can take advantage of the security exploits and then allowing these exploits into the wild as Baltimore has found out.
(1) You must also be able to compile it yourself which is not difficult with BSD or Linux.
Are you also prepared to forget superscalar CPUs and turn of hyperthreading due to cache timing attacks, and stop processes from rowhammering memory?
Are you also prepared to forget superscalar CPUs and turn of hyperthreading due to cache timing attacks, and stop processes from rowhammering memory?
Some things we have little control over.
I already end up disabling hyperthreading on Intel CPUs because of poor reliability. That took weeks to track down.
I built my systems with ECC and used higher than necessary refresh and scrub rates even before rowhammer was reported.
I'm not sure what taking my post completely out of context achieved but that's fine. I was summarising and not writing an essay on the security of multiple operating systems.
I spent decades securing Windows. Believe it or not, there are people out there that can do that (which doesn't involve a lack of connectivity and being buried in concrete).
Also, for full disclosure, I run Fedora as my full-time operating system on multiple machines and servers at home, just before I'm accused of being a Windows fan boy. I was merely citing one example out of many. ;-)
I find these responses interesting. The question is what the most secure operating system is. To me, the answer to that would be the operating system that goes without incident for the longest period of time with an average person doing average things. Sure, a computer you never turn on is the most secure but then it isn't really a computer at that point. And yes, Unix and Linux tend to have better track records in general, but they usually have trained people setting them up and knowing how to lock them down. Plus, the threat model of a server is much different than the one for a desktop. In addition, Grandma's threat model is much different than that of a corporate drone. If you don't keep all the variables in mind, then you aren't really comparing the same things. It is like asking what car is safer, but then using SUV front-crash results vs. sub-compact car side-impact results.
For example, someone brought up the story (which went viral 14.5 years ago) about how Windows XP took an average of 20 minutes to be exploited after being put on the Internet. However, that was a fresh-install machine connected directly to the Internet (no router, NAT, or firewall), without a host-based firewall enabled, and everything at default settings, including wide-open and world-accessible SMB ports. It was probably even worse with Grandma behind the mouse clicking whatever tickled her fancy. That is nowhere close to comparable to a professionally-administered machine behind the layers of corporate security and "sufficiently" secured (for various definitions of sufficient) before being allowed through the firewall. Until you take those things into account, you aren't really comparing operating systems, you are instead comparing the technical prowess of their users.
If I include reliability then Windows of any version is not even close. My Windows 10 system regularly "fails" with updates. My main XP system can run about 2 weeks before resource leaks require a reboot. My backup XP system can go at least a month. My FreeBSD box lasts until power is lost unlike my cable modem.
I find these responses interesting. The question is what the most secure operating system is. To me, the answer to that would be the operating system that goes without incident for the longest period of time with an average person doing average things. Sure, a computer you never turn on is the most secure but then it isn't really a computer at that point. And yes, Unix and Linux tend to have better track records in general, but they usually have trained people setting them up and knowing how to lock them down. Plus, the threat model of a server is much different than the one for a desktop. In addition, Grandma's threat model is much different than that of a corporate drone. If you don't keep all the variables in mind, then you aren't really comparing the same things. It is like asking what car is safer, but then using SUV front-crash results vs. sub-compact car side-impact results.
I think the point is that most default installations of *nix-based systems minimize permissions/security issues and need to be "opened up" for many applications, whereas default installations of (say) Windows are by default very iffy and exploit-prone. It's pretty hard to make a modern *nix susceptible to hacking without knowing a little about the structure and configuration of the OS. I have set up countless different computers, and with similar firewall protection, the difference between number of *nix / Mac and Windows systems incidents is pretty sizeable unless you install a constantly updated spyware/virus suite.
I use HardenedBSD for systems where I need low attack surface and high attack resilience.
Gesendet von meinem MI 9 mit Tapatalk
Most secure
from what? Remote access attacks? Nefarious local users? Unprivileged hardware access? Breaking out of user restrictions? Bugs? Data collection by organisations that sell your information? Data collection by government(s)? Data collection in general?
If you know what the machine is used for, you can always harden it; how much, varies from OS to OS. On some, you need additional proprietary/commercial software. On some, the needed tools are baked-in to the OS. In my opinion, OpenBSD has the most emphasis on security of the open-source operating systems.
I don't know about Windows or Mac OS, because I don't use either, and have no idea on their developers' emphasis. As I've used and hardened Linux systems for over two decades, I find that one easy to secure (to my own definition of "secure").
... Windows 10 system regularly "fails" ...
There's your first problem... Windows 10 ;-)
For a long time Microsoft even had it as their official policy to not have any security features on by default (like a firewall, multiple users, password login) because they said their studies showed that end users found it annoying.
Jeff Jones, Microsoft's senior director for "trustworthy computing," said the company was heeding user requests when XP was designed: "What customers were demanding was network compatibility, application compatibility."
https://www.washingtonpost.com/archive/business/2003/08/24/microsoft-windows-insecure-by-design/57eeb240-bc22-4c89-b195-0946d8a27281/?utm_term=.e0ace1eed7f4
Exactly right. Microsoft Windows is "White Goods" for the masses, 'ease of use' trumped security every time with Windows because this is a COMMERCIAL OS, it only exists for ONE REASON ... $$$$. Windows users who thought they were smart would use 'password' as the password, others used their name. What scant security Windows actually was capable off was soon nullified by its users.
Ease of use V/S security is always the compromise.
Most secure from what? *snip*
Ding ding ding, we have a winner. You can't say anything meaningful about security until you state precisely what you are defending against. Until you do that, you're just tossing shit against a wall and seeing what sticks.
The only correct answer is: The operating system you know well enough to secure and monitor properly.
In competent hands, most operating systems[1] can be made secure.
In incompetent hands, *any* and *all* operating system will become insecure.
In theory, Open Source is better than Closed Source, but in practice only if somebody actually reads the source code.
Finally you also have to consider "secure against what and whom?"
No operating system is secure against state level actors like NSA[2].
So pick an OS that does what you need it to do[3].
Spend the time (years!) it takes to learn that none of it is "black magic".
Only if you are willing to do that, then your OS will be as secure as you can hope for.
/sign Your Friendly Kernel Hacker[4]
[1] The exceptions are "walled gardens" like OS/X and Android, and old insecure-by-design OS's like Win95...XP.
[2] See also:
[3] As part of that selection, you will also want to look at the organization and people behind the OS, because you are going to live with them and their antics.
[4] Yes, I wrote a lot of FreeBSD, but that doesn't mean it is right for you.
Remember the movie "war games". How easy things were to hack back in the day before security started to get implemented?
Well its now 2020.....who possibly remembers all them exploits from back in the day?
Its because of this I say the most secure operating system are the old ones
.
Define secure OS. Secure against what?
Alexander.
For a long time Microsoft even had it as their official policy to not have any security features on by default (like a firewall, multiple users, password login) because they said their studies showed that end users found it annoying.
Yep. I remember when they finally enforced UAC in Windows Vista. Many, if not most users found that infuriatingly annoying at the time. It took a lot of time and a lot of pedagogy so that people would eventually get used to it - let alone see the benefits.
Define secure OS. Secure against what?
Yep. Obviously heavily depends on use cases.
An OS for desktop use? For server use? In what kind of hands? Etc.
These days, for desktop/workstation use, you'll still have far less potential security issues using a Linux distribution than using Windows or MacOS. OTOH, a number of things other than security can be annoying for the average user.
For servers directly exposed to outside connections, it's more involved.