The Lagoon TechMy little blog in Cyberspace.

In this blog post, I will be giving a brief response to a section of an online article I found. The article claims that Linux is “more secure” than Windows, but this is of course not accurate. The article can be located at: http://techluminati.com/operating-systems/linux-vs-windows/

Please note that I mean *no* disrespect to the author of the article.  Please also note that I am just going to reply to the part of the article that talks about Windows’ security. I’m not replying to the whole article.

The direct quotes from the article are in red, and my responses are in black.

Linux on the other hand , has always been a secure operating system since the early days. It has often been the subject of debate that an open source operating system cannot be as secure as a proprietary one, but Linux has proved  that belief to be untrue. Overall, I believe that Linux offers much more security by default.

This is not true at all. Linux has had its fair share of security vulnerabilities too. Also, Linux was not “always secure from the beginning” either. Linux itself had to undergo a lot of security patches to get it where it is today.

Overall, I believe that Linux offers much more security by default.

Not really. A default install of Windows Server 2012 R2 and CentOS Linux will have similar security defaults out of the box.

• https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-7/cvssscoremax-7.99/Linux-Linux-Kernel.html
• https://web.nvd.nist.gov/view/vuln/search-results?query=linux+kernel&search_type=last3months&cves=on

As the links will show you, there have been several security problems discovered in Linux. Why people insist on saying that Linux is “more secure” than Windows is beyond me.

Access Privileges – Linux by default does not run as a root (the Windows ‘administrator’ equivalent) This ensures that any automated program or script cannot make changes to the system without explicit privileges from the user.

Windows (since Vista) does not let the user run as Administrator by default. The default Windows user has to press “Yes” on the UAC prompt to gain Administrator access. Otherwise the user is still a “limited, non-Administrator”.

Linux (specifically Ubuntu) does something similar. The default user in a Ubuntu install is a limited account too (like Windows) with privileges to access root if the user wants to, but instead of having to click a “Yes” button to gain Administrator access, the Ubuntu Linux user has to enter their password instead.

I suspect Microsoft opted for clicking a “Yes” button for more user-friendliness. However you can have Windows force users to enter their password, instead of just clicking a “Yes” button.

Although Windows has implemented a similar mechanism called ‘User Account Control or UAC’, Which does provide good protection although not as robust as Linux does.

You claim that UAC is not as “robust” as Linux (I assume you are talking about “sudo” in Linux). This isn’t true. UAC is basically doing what “sudo” on Linux does. Allowing a Windows user to elevate him/her self to Administrator, without having to be Administrator all the time.

Viruses – Viruses and other malware continue to be a constant headache for windows users. Combating viruses is not only time consuming, but also expensive when we talk about using Windows in a large scale production environment. Moreover, there is always a need to purchase expensive antivirus software with yearly subscriptions, punching additional holes in your pocket.

Linux on the other hand has significantly less number of viruses, so you are considerable less likely to get infected. In fact, I am yet to hear this from a friend or a fellow systems administrator, that they are using Linux, and that it has been infected! am sure most administrators or users  must have had a similar experience.

Linux does have malware. It is rare to actually get malware on Linux, but the same goes for a properly setup Windows computer with a user that uses common sense. Just because someone uses Windows does not mean that they will catch malware, nor is Windows typically easy to infect.

I would say 99% of all Windows infections nowadays are caused by the user allowing the malware to infect the system (e.g., running an infected program as Administrator, opening an e-mail attachment manually from an unknown e-mail, running random downloaded exe files from the Internet), not the malware just “getting in” by itself without accidental help from the user.

Also, malware for Linux can be just as dangerous as Windows malware. For example, someone writes a shell script for installing…say…a media player for Linux. Well “John Doe” (our average computer person we are using as an example) downloads and then runs the shell script, using setup instructions on the author’s website. The script informs John Doe that he needs to run the script as “root”.

John Doe then says to himself “I want to use this media player, so I’ll go ahead and login as root”. John Doe logs in as root, then executes the installer again (on Linux).  What John Doe does not realize is that the installer also contained malicious code to create a user account (for the hacker) as well as a small SSH service that allows the hacker to gain unauthorized entry into John Doe’s computer.

Now did Linux magically prevent the malware from infecting John Doe’s computer? Of course not. Neither would Windows, if that setup had been for Windows. Whether the installer had been for Windows or Linux, the malware would have needed the user to perform a risky move (running the setup as root on Linux) to infect John Doe’s computer.

Now not all malware requires the user letting it through, but I would say most of it does.

Quick Note:  Running something as “root” on Linux is the equivalent to running something as “Administrator” on Windows.

Also, FYI, it is extremely rare to catch a virus by just being connected to the Internet (that goes for Windows, Linux, or any other operating system).

Overall Security – Overall, I believe that Linux will always be much more secure than Windows operating system given the fact that its open-source. It would interest you to know that there is something called as the ‘Linus Law’ – named after the creator of the Linux kernel Linus Torvalds , which states :

“given enough eyeballs, all bugs are shallow”

That quote is really a myth. If anything, there would be so much code (like in the Linux kernel) that no one could constantly go through all of the code to make sure that no “monkey wrenches” have been thrown into the works.

• Remember the ShellShocker vulnerability that went unnoticed for over 15 years(!)
• Remember the Heartbleed OpenSSL vulnerability?
• Remember the GnuTLS software vulnerability that was discovered over a year ago?

Not to mention all of the Android malware that exists.  Remember Android (which is what I use on my phone) is Linux, and being Linux has not stopped malware from infecting people’s phones.

Here is a list of Android malware out there now: https://forensics.spreitzenbarth.de/android-malware/

Technically any Android malware *is* Linux malware.  I suspect a lot of Linux users have never thought of it that way before. Basically Android having malware completely disproves Linux being “inherently secure” (who started that myth anyway?).

Now I am not saying that Android malware will magically work on a CentOS web server, nor am I saying to just forget using Linux.  What I am pointing out is that Linux does indeed have malware, and saying that it doesn’t is false.

Also, my Windows server has been semi-frequently targeted for the ShellShocker vulnerabilities (even this late in 2015). This tells me that there must be Linux systems out there still vulnerable to ShellShocker, otherwise the attackers would not bother anymore. At least since my server I use runs Windows, I am not vulnerable to the ShellShocker vulnerabilities.

In simple terms it means given a large number of developers and beta testers, every problem will be identified quickly and that the solution of that problem will be obvious to someone. I completely agree with this.

I respect your opinion, but I respectfully disagree. There would be so much code (like in the Linux kernel) that no one could constantly go through all of the code all the time.

Think about it.  Someone sneaks in a little bit of malicious code (say…inside a large open source project) that deletes *all* the user’s data (does not require root privileges). Now unless someone is constantly going over all of the source code for that project, they may very well miss the malicious code. It just takes it happening one time in a large open source project to cause a large mess that would be very hard to clean up.

Also, there really is no hard evidence for “open source  ==  more secure”. Neither is there hard evidence for “closed / proprietary ==  more secure”  either.

I received this comment that someone posted online. In case anyone is wondering, I try to keep the authors’ names and/or usernames of different comments, articles, blog posts, etc. I respond to anonymous.

The comment was riddled with misinformation and untruths about Windows. I will place the comment author’s comments below in red. My responses are in black. Please note that I mean no disrespect to the comment’s author in anything I say.

It is funny because if you walk into any major company, even Microsoft, you will find a majority of the servers running Linux.

While there are a lot of companies that make use of Linux (and probably have several Linux servers), I highly doubt that Microsoft uses many (if any) Linux servers themselves. Do you have a source to verify this?

It is also funny that they think Windows is more secure.

What makes you think Linux is any more secure than Windows? You did not provide any technical arguments.

Windows has not fixed any major security holes in years because it is impossible to do so. The software runs in the operating system instead of a sort of run time container.

1. To say that Windows “has not fixed any major security holes in years” would mean that Microsoft does not give security patches to Windows. This is, of course, a false statement.
2. Why would it be “impossible” to fix major security issues in Windows? You gave no technical arguments to backup your statement.

Open Source ensures that any security holes found can be fixed within minutes of finding them. Windows has to officially release patches for every fix and those fixes can only be made by Microsoft.

Not true! The Bash ShellShock vulnerability took days to get all the official patches out.

“Initial solutions for Shellshock do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278. Red Hat has provided a support article with updated information.”   —   Source:  https://www.us-cert.gov/ncas/alerts/TA14-268A

In other words, the current patches are not a 100% guarantee that the ShellShock vulnerability has been completely patched.

I don’t think you understand fundamentally how the Windows operating system works from the perspective of a low level developer. If you look at the Windows source you will see that it has almost not been touched since XP.

Not true!  Windows 7 alone had the following features added to the OS such as:

• touch and handwriting recognition
• support for virtual hard disks
• improved performance on multi-core processors
• ClearType Text Tuner
• support for multiple heterogeneous graphics cards from different vendors

Final point is that Ubuntu, which in the Linux community is considered Windows with a custom theme, has that title for a reason. Besides being pure Linux on the backend, the front end is basically the same as Windows.

Ubuntu Linux is not a complete replacement for Windows. There are many programs (such as:  Adobe Photoshop, Microsoft Word, Visual Studio)  that either have no Linux equivalent, or the “equivalent” software program is not up to par.

It is also one of the biggest Linux communities in the world. If you have a problem, you can find a solution normally within a few minutes by asking online in any Linux community weather it is programming or general usage. I should know because I use Linux as my main OS.

You can usually find quick answers to Windows questions online.

You have the question as well, infrequent tested patching or ultra frequent fixes that can quickly be refined by a large userbase that puts it through actual non-simulated testing. The answer is obvious.

Community testing of patching (a.k.a fixes) is a good way to know if what you fixed is actually fixed! However, this does not mean that professional testers are “worse” than community testers. In other words, don’t assume community software testers are “better” than professional software testers.

————————————-

Of course I use both Windows and Linux myself and am not a Windows fanboy, but it is a pet peeve of mine to hear incorrect Linux statements made from people as well as Windows FUD spread by people who do not know what they are talking about.