Don’t they claim Linux is secure?

I’ve spent so many years hearing Linux fans claim it is totally secure that I just had to post this one. Duqu, the most sophisticated and mysterious Trojan since Stuxnet (and perhaps related to it) compromised Linux servers to create its Command and Control infrastructure. “Many of the servers that had been hacked to become part of Duqu’s infrastructure were running Linux, namely CentOS 5.2, 5.4 or 5.5, a community version very similar to Red Hat Enterprise Linux.”  Now obviously Windows was compromised by Duqu as well, so I’m not trying to claim Windows is more secure than Linux.  I’m just reiterating a message that ALL operating systems are vulnerable and to claim otherwise is irresponsible (and one of the all time great security myths).  Other recent examples include the targeting of MAC OS by fake Anti-Malware attacks, the massive growth in malware targeting Android,  and even a researcher demonstrating that you can download malware into printers!  The difference is that after years of attacks everyone in the Windows ecosystem recognizes the threat and most are actively working to confront it, while the Linux, Apple, Android, etc. ecosystems still largely have their heads buried in the sand.

This entry was posted in Computer and Internet, Linux and Android, Security, Windows and tagged , , , . Bookmark the permalink.

4 Responses to Don’t they claim Linux is secure?

  1. grawok says:

    in duqu story, the exploit is based on a vulnerability with openssh prior to version 5.1 (which was released in july 2008). If sysadmin use out of the box outdated software (version 4.3 was released in feb 2006) and neglect security updates, shame on them.
    Funny to see your conclusion though, as if security was an option linux and to an extent open source projects ignored so far. Amazing.

    • halberenson says:

      The same is almost always true of Windows as well. Nearly all of the attacks are on Windows XP, which was released in 2001! And very frequently you see attacks succeed because people haven’t patched their software (e.g., particularly a problem with Java and other non-Microsoft software these days) even though patches for the issue have been available for years.

      Actually I’m not saying that Linux has ignored security, I think it is quite the opposite. I’m saying that the ecosystem built around it, including customers, sometimes think it is invulnerable and thus don’t take proper precautions. Windows customers have to go out of their way to not have patches automatically applied. Linux customers may think they don’t have to patch, or patching is still way too fragile (which is what others report), to be practical. The use of anti-malware software on Windows is relatively high. How many Linux machines run anti-malware software? And how good is it (e.g., my experiences with ClamAV not being so positive)? There are just too many people in the Linux (and Mac and Android) community who see an attack on Windows and say “See, you shouldn’t be using Windows; That could never happen to my Linux system” for me to believe they understand how vulnerable they are.

      Linux has really had only three things going for it over the years. First, it inherited from an inherently multi-user system (Unix) and thus users generally did not need to use root or other administrator privileged accounts for normal usage. While this was technically true for Windows NT and later, from a practical (compatibility with the pre-NT single user kernel) standpoint all users on client machines ran as administrators until Windows Vista. And even on servers people were sloppy about requiring or granting accounts minimal privileges until relatively recently. Second, because Linux was so customizable it was possible to eliminate components you didn’t actually need and this allowed for a reduced attack surface. This is something Windows Server has been focused on as well, particularly from Windows Server 2008 forward. At this point I don’t believe their are any inherent security advantages of Linux over Windows. So now it comes down to how easy is it to manage configuration and update processes, avalability and use of mitigation techniques (e.g., anti-Malware), and perhaps most importantly how paranoid are the system administrators and other users.

      • halberenson says:

        Forgot the third thing: It just hasn’t been the subject of as much interest from the bad guys as Windows. That’s mostly a client thing obviously, since even poorly managed server environments are generally better managed than any client environment. And Linux just doesn’t have a big enough client footprint for the bad guys to care.

  2. Reblogged this on João Rui Alveirinho Correia and commented:
    im not the olnly one thinking…

Comments are closed.