Response to “Linux vs Windows”

In this blog post, I will be giving a brief response to a section of an online article I found. The article claims that Linux is “more secure” than Windows, but this is of course not accurate. The article can be located at:

Please note that I mean *no* disrespect to the author of the article.  Please also note that I am just going to reply to the part of the article that talks about Windows’ security. I’m not replying to the whole article.

The direct quotes from the article are in red, and my responses are in black.

Linux on the other hand , has always been a secure operating system since the early days. It has often been the subject of debate that an open source operating system cannot be as secure as a proprietary one, but Linux has proved  that belief to be untrue. Overall, I believe that Linux offers much more security by default.

This is not true at all. Linux has had its fair share of security vulnerabilities too. Also, Linux was not “always secure from the beginning” either. Linux itself had to undergo a lot of security patches to get it where it is today.

Overall, I believe that Linux offers much more security by default.

Not really. A default install of Windows Server 2012 R2 and CentOS Linux will have similar security defaults out of the box.

As the links will show you, there have been several security problems discovered in Linux. Why people insist on saying that Linux is “more secure” than Windows is beyond me.

Access Privileges – Linux by default does not run as a root (the Windows ‘administrator’ equivalent) This ensures that any automated program or script cannot make changes to the system without explicit privileges from the user.

Windows (since Vista) does not let the user run as Administrator by default. The default Windows user has to press “Yes” on the UAC prompt to gain Administrator access. Otherwise the user is still a “limited, non-Administrator”.

Linux (specifically Ubuntu) does something similar. The default user in a Ubuntu install is a limited account too (like Windows) with privileges to access root if the user wants to, but instead of having to click a “Yes” button to gain Administrator access, the Ubuntu Linux user has to enter their password instead.

I suspect Microsoft opted for clicking a “Yes” button for more user-friendliness. However you can have Windows force users to enter their password, instead of just clicking a “Yes” button.

Although Windows has implemented a similar mechanism called ‘User Account Control or UAC’, Which does provide good protection although not as robust as Linux does.

You claim that UAC is not as “robust” as Linux (I assume you are talking about “sudo” in Linux). This isn’t true. UAC is basically doing what “sudo” on Linux does. Allowing a Windows user to elevate him/her self to Administrator, without having to be Administrator all the time.

Viruses – Viruses and other malware continue to be a constant headache for windows users. Combating viruses is not only time consuming, but also expensive when we talk about using Windows in a large scale production environment. Moreover, there is always a need to purchase expensive antivirus software with yearly subscriptions, punching additional holes in your pocket.

Linux on the other hand has significantly less number of viruses, so you are considerable less likely to get infected. In fact, I am yet to hear this from a friend or a fellow systems administrator, that they are using Linux, and that it has been infected! am sure most administrators or users  must have had a similar experience.

Linux does have malware. It is rare to actually get malware on Linux, but the same goes for a properly setup Windows computer with a user that uses common sense. Just because someone uses Windows does not mean that they will catch malware, nor is Windows typically easy to infect.

I would say 99% of all Windows infections nowadays are caused by the user allowing the malware to infect the system (e.g., running an infected program as Administrator, opening an e-mail attachment manually from an unknown e-mail, running random downloaded exe files from the Internet), not the malware just “getting in” by itself without accidental help from the user.

Also, malware for Linux can be just as dangerous as Windows malware. For example, someone writes a shell script for installing…say…a media player for Linux. Well “John Doe” (our average computer person we are using as an example) downloads and then runs the shell script, using setup instructions on the author’s website. The script informs John Doe that he needs to run the script as “root”.

John Doe then says to himself “I want to use this media player, so I’ll go ahead and login as root”. John Doe logs in as root, then executes the installer again (on Linux).  What John Doe does not realize is that the installer also contained malicious code to create a user account (for the hacker) as well as a small SSH service that allows the hacker to gain unauthorized entry into John Doe’s computer.

Now did Linux magically prevent the malware from infecting John Doe’s computer? Of course not. Neither would Windows, if that setup had been for Windows. Whether the installer had been for Windows or Linux, the malware would have needed the user to perform a risky move (running the setup as root on Linux) to infect John Doe’s computer.

Now not all malware requires the user letting it through, but I would say most of it does.

Quick Note:  Running something as “root” on Linux is the equivalent to running something as “Administrator” on Windows.

Also, FYI, it is extremely rare to catch a virus by just being connected to the Internet (that goes for Windows, Linux, or any other operating system).

Overall Security – Overall, I believe that Linux will always be much more secure than Windows operating system given the fact that its open-source. It would interest you to know that there is something called as the ‘Linus Law’ – named after the creator of the Linux kernel Linus Torvalds , which states :

“given enough eyeballs, all bugs are shallow”

That quote is really a myth. If anything, there would be so much code (like in the Linux kernel) that no one could constantly go through all of the code to make sure that no “monkey wrenches” have been thrown into the works.

Not to mention all of the Android malware that exists.  Remember Android (which is what I use on my phone) is Linux, and being Linux has not stopped malware from infecting people’s phones.

Here is a list of Android malware out there now:

Technically any Android malware *is* Linux malware.  I suspect a lot of Linux users have never thought of it that way before. Basically Android having malware completely disproves Linux being “inherently secure” (who started that myth anyway?).

Now I am not saying that Android malware will magically work on a CentOS web server, nor am I saying to just forget using Linux.  What I am pointing out is that Linux does indeed have malware, and saying that it doesn’t is false.

Also, my Windows server has been semi-frequently targeted for the ShellShocker vulnerabilities (even this late in 2015). This tells me that there must be Linux systems out there still vulnerable to ShellShocker, otherwise the attackers would not bother anymore. At least since my server I use runs Windows, I am not vulnerable to the ShellShocker vulnerabilities.

In simple terms it means given a large number of developers and beta testers, every problem will be identified quickly and that the solution of that problem will be obvious to someone. I completely agree with this.

I respect your opinion, but I respectfully disagree. There would be so much code (like in the Linux kernel) that no one could constantly go through all of the code all the time.

Think about it.  Someone sneaks in a little bit of malicious code (say…inside a large open source project) that deletes *all* the user’s data (does not require root privileges). Now unless someone is constantly going over all of the source code for that project, they may very well miss the malicious code. It just takes it happening one time in a large open source project to cause a large mess that would be very hard to clean up.

Also, there really is no hard evidence for “open source  ==  more secure”. Neither is there hard evidence for “closed / proprietary ==  more secure”  either.

Posted in Computers, Operating Systems