5

The famous so-called virus-and-hacker-free Mac is a thing of the past: As it gets more popular it gets more vulnerabilities. Will Linux be the same at some point in time? Is it getting less of more secure?

I know:

"No computer or network system is 100 percent secure. There is always a vulnerability in every system."

Henry WH Hack v3.0
  • 827
  • 8
    linux, is the kernel of the system (like GNU/Linux, Android, Ubuntu). Did your question relate to Ubuntu instead? Else with all those unpatched Android cellphones out there I would say, lots of unsafe system run a Linux. – humanityANDpeace Oct 31 '15 at 20:26
  • 1
    Secure against what threats? As Security.SE's help center explains, "Security is a very contextual topic: threats that are deemed important in your environment may be inconsequential in somebody else's, and vice versa. [...] To get the most helpful answers you should tell us: 
    what assets you are trying to protect;
who uses the asset you're trying to protect, and who you think might want to abuse it (and why);
what steps you've already taken to protect that asset;
what risks you think you still need to mitigate"
    – D.W. Nov 01 '15 at 01:59
  • 2
    My computer is 100 percent secure; it never asks me if it looks fat, or questions what I've been doing when I say I was out with my friends. – user253751 Nov 01 '15 at 02:23
  • 1
    @immibis: LOL. Good response to an underspecified question. – David Foerster Nov 01 '15 at 11:35
  • @immibis: your computer is not really secure,just uninterested. – Paul Girardin Nov 04 '15 at 19:05
  • 1
    yeah, cryptolocker on mac was nothing more than multiple popup windows because they couldn't make malware that actually encrypted the data like it does on windows. – mchid Nov 16 '15 at 04:20

2 Answers2

20

A system is never 100% secure and there are always vulnerabilities, in every OS. Some are known and some still want to get discovered though. It's a fact though that the UNIX/Linux security architecture (from which also Apple's OSX is derived) is much stronger than the one Windows had in the past and I believe it's even still slightly stronger than what they have nowadays, although the difference got minimized.

The advantage of a system with a very low user count is that hackers (only speaking of black hats that want to attack you) have a pretty small interest in spending their time on Linux, because even if they find an open backdoor, they can't make much profit with it as there are too few potential targets.

So the more users an OS has, the more interesting is it for people with criminal powers to find and exploit vulnerabilities. This however means also, that more white hat researchers will check it out and fix some of those problems. So there will always be a balance between white and black, though experience shows us that the dark side usually has a slightly higher growth rate.

However, the OS itself is not getting more insecure or vulnerable once there is a high user base. The weak points remain the same, they just were not known earlier. But as knowing a problem is required to be able to fix it...

However, it's not really correct to say that Linux in general has a small user base today. Desktop computers mainly run Windows and no Linux distributions, but that's not the only type of computer we have. A majority of the web servers operate on Linux as well as e.g. the Android OS for smartphones is actually Linux-based. These systems all have major differences, so a hack on one would probably not work on the other, especially as installed Software is much more vulnerable than the system/kernel itself, so an attacker would rather try to break into that or trick the user.

Additionally (thanks @Rinzwind) it's also important to say that Linux systems in general can be seen as systems for advanced users (total computer noobs probably haven't even heard anything about it yet), whereas Windows is just what everybody uses, no matter what skills he/she has, as it comes preinstalled on almost every machine nowadays. This is important because many attacks depend on vulnerabilities of the interface between keyboard and chair, also known as "The User". Of course, many also just think they're experts and pay even less attention when downloading .deb packages from websites or compiling foreign code from source, because they believe the myth of "bulletproof Linux". So just copy-pasting sudo commands or installing Software as root is and stays dangerous, because Linux systems are not designed to protect the user from themselves!

*"It's not UNIX's job to stop you from shooting your foot. If you so choose to do so, then it is UNIX's job to deliver Mr. Bullet to Mr. Foot in the most efficient way it knows."* - Terry Lambert

To conclude we can say that higher user numbers make the OS more secure in theory, as more vulnerabilities are detected and fixed, especially as it is Open Source. But practically this also increases the number of attacks, as it becomes a more interesting target.

The system itself is however usually the strongest part of the security chain, the weak parts are vulnerabilities in additional software (browsers, flashplayer...) or the users themselves, as it's easy to trick non-experts and let them install malicious programs or run evil copy-pasted sudo commands.

Community
  • 1
Byte Commander
  • 107,489
  • I now that I said the same thing in my question. –  Oct 31 '15 at 17:24
  • Is it more secure than Windows or Mac because it is open source,less popular and Linus Trovald said to look out for for any vulnerability and bugs in the kernel? –  Oct 31 '15 at 17:28
  • It is more secure because it's Open Source and it is less attacked because it has a lower user base. – Byte Commander Oct 31 '15 at 17:32
  • 10
    @ByteCommander I would like to add: Linux is more secure due to the users being more educated than users on Windows. Biggest issue on Windows is the installation of software. We have this largely centralized, Windows does not (yet) and users install Windows software without caring where it is from. – Rinzwind Oct 31 '15 at 17:42
  • 1
    ByteCommander: you should add @Rinzwind's comment into your answer... – Fabby Oct 31 '15 at 18:25
  • 2
    Linux-based systems are widely used (outside the desktop), so there already is a blackhat vs whitehat war going on. – user31389 Oct 31 '15 at 18:30
  • 3
    @user31389 For sure, we also have a small set of malware and viruses as well as a few working attacks and exploits. But this all is nothing in contrast to what Windows has to battle. – Byte Commander Oct 31 '15 at 18:33
  • 1
    Yeah, the desktop Windows' threat model is mostly malware, while on Linux servers it's hackers. – user31389 Oct 31 '15 at 18:38
  • 3
    @ByteCommander "It is more secure because it's Open Source" [Citation needed]. Because in practice it seems that while it is possible for anyone to audit the software, everyone assumes someone else will do it for them (do I even have to mention OpenSSL explicitly?). Now if Linux is more secure than Windows - again a proposition you haven't proven - it has more to do with the development process and guidelines that have been set up (those are indeed pretty good by all standards). In the end looking at kernel CVE, those are rare on both OSes these days, it's mostly social engineering really. – Voo Oct 31 '15 at 18:47
  • @Voo Will add those citations if you add a bounty of at least 100 points. Otherwise, I propose you to write such an answer that meets scientific standards and I will offer that bounty to you... :) – Byte Commander Oct 31 '15 at 18:50
  • 1
    @ByteCommander Well here you go (src ) - NVD entries for each OS in 2014. In the end those numbers vary enough each year that it's a wash really, particularly if you compare it to the thousands of high profile third party attacks each year. All those people getting hacked thanks to Flash exploits certainly outnumber everyone suffering due to kernel exploits. – Voo Oct 31 '15 at 18:52
  • 3
    I'd also like to take a minute to interject... As mentioned in chat, "Security is a process, not an application." Good security practices begin in the chair. – KGIII Oct 31 '15 at 18:56
  • 2
    @Voo This source is a commercial security company that wants to sell their products. Besides that, I miss the article/context of the image. Sorry, but I can't really accept that as a valid citation for anything. Especially because I can't see how they got these numbers. (this comment applies to the first version of your last post) – Byte Commander Oct 31 '15 at 18:57
  • @ByteCommander Yes a commercial company summarized NVD entries. Are you saying that they fabricated/miscounted NVD entries or that the NVD itself is unreliable? – Voo Oct 31 '15 at 19:00
  • 1
    @Voo I didn't have anything to do with NVD yet. Need to research on them first. My offer of that bounty if you write a good answer still stands, by the way. – Byte Commander Oct 31 '15 at 19:04
  • @Rinzwind Troubleshooting on linux frequently involves copy/pasting command lines from the internet, and running them with sudo. Not all users will take the time to learn and understand all of these commands before entering them... And even those who do still occasionally leave mistakes in their own commands. – T. Verron Nov 01 '15 at 16:56
  • @Rinzwind Also, don't blame the users for the system's flaws: a centralized package manager has nothing to do with the level of education of its users. If anything, educated users are more likely to add non-standard repositories or compile software from source, effectively replicating the windows "download and install" vulnerability. And of course, both windows and linux educated users are more likely to be careful before installing untrusted software. – T. Verron Nov 01 '15 at 16:58
  • 1
    -1 for spreading the "low Linux user count" myth. The tens of millions of Linux servers, hundreds of millions of Android phones, and a few millions of Linux desktops out there beg to differ with you. The first category, in particular, are generally much higher value targets than your average Windows desktop, and see a lot of malicious activity of various types. – Michael Hampton Nov 01 '15 at 19:33
  • @T.Verron I extended/edited my answer and included your points. – Byte Commander Nov 02 '15 at 18:14
  • @MichaelHampton You're right. I have edited and extended my answer to point this out. Would you mind reviewing it again and rethinking your vote? Thanks. – Byte Commander Nov 02 '15 at 18:15
  • not to mention chromeOS – mchid Nov 16 '15 at 05:03
14

Systems with a Linux kernel have been in widespread use for a long time, and unlike the typical desktop computer, they are always online and actively accepting connections.

https://en.wikipedia.org/wiki/Linux#Servers.2C_mainframes_and_supercomputers

What's more, compromising a single web server is a much higher-value target than compromising a single desktop.

So, I reject your assumption that the number of desktop users would necessarily lead to increased targeting.

That being said, people hack what they know. Linux-based systems have long been a popular system among such people, however.

David Stone
  • 241
  • 2
    This. When non-savvys think of viruses, they imagine those annoying adwares, or maybe even Cryptolocker. But they forget that the internet has computers on both sides, and the computers holding the data of thousands of millions of users are much more valuable than a single user's computer. Linux is on the lead for server-side applications, and this makes it a perfectly valid target for hackers. (Even though it's usually easier to find vulnerabilities on the applications running on the OS than in the OS itself) – Kroltan Nov 01 '15 at 00:30
  • 2
    Of course, those servers typically won't be running xwindows, or a web browser, or many of the dozens of other pieces of software that are frequently used on the desktop. – evilsoup Nov 01 '15 at 10:02
  • On the other hand, there are so many more single desktops than there are webservers, and apparently the real cash these days is in the botnets and phishing... – Shadur-don't-feed-the-AI Nov 01 '15 at 14:13
  • @Shadur A quick wikipedia search seems to hint that there are roughly as many personal computers as webservers (1 billion of each). And webservers are high-value targets leading to the real cash too: steal e-mail lists, passwords lists, certificates, and then use these to attack desktops. – T. Verron Nov 01 '15 at 17:13
  • Ha! I got cryptolocker on my ubuntu box and so I closed the webpage, problem solved. – mchid Nov 16 '15 at 04:18