Linux Security Myth Busting

[CMonster]

A short word on Linux security:

"Linux is secure in it's obscurity;"

This is a common misconception. Linux is not obscure; being based on the UNIX model that has been around since before DOS was a twinkle in Bill Gates eyes, the structure and functions of UNIX are hardly unknown. The infamous "Internet Worm" of 1986 was the first widely publicized threat to networked computers --they ran UNIX and the exploit took advantage of the "at" command. Since then, continuing to the present day most network servers, mission critical applications, and super computers run UNIX (many Linux).

Linux is more secure than windows for several reasons, here are a few:

First of all, at its inception Linux was designed to be a desktop version of UNIX, so it progressed from a true NOS (network operating system) to a desktop OS, carrying with it a legacy network security model of server/client-user with limited permissions. Unlike windows which progressed from a single-user desktop OS to a NOS, having to add layers of security along the way.

Secondly, Linux, being open source, might seem to invite hacks but the opposite is equally true --as fast as a hack is discovered by the community a security fix/patch is usually made available.

Finally, while I admit that Linux does require the user to be a bit more educated about system administration (there is a learning curve), we all understand that an educated user makes for better security in any OS, rather than relying on mouse clicks and eye-candy that pop up warning of a threat.

[EXreaction]

An OS is only as secure as it's weakest application.

I've not heard of an exploit for the Windows OS or Unix OS in a very long time, most or the hacks are all targeted at 3rd party software.

[SeanC]

Pretty much. Remember there was the recent Windows, Mac, Linux hacking contest? None of them could be hacked through just the OS itself. It was the 3rd party apps which nailed Windows (Acrobat or Flash video or something Adobe anyway, if I recall). If Linux/Unix apps are direct ports of source code then they could very well have the same vulnerabilities, but with the default user account not having full administrative/root access to the system, the damage is more limited. Windows can do that too, except for the everyday apps (like Microsoft's own Office - older versions anyway, don't know about 2007) that required the user to be an admin to even use some of the programs.

[#43 fan]

The hackers may have been able to get through using just the OS, but it would've taken quite a bit of time.

[cunokyle]

Saying Linux or UNIX are more secure than Windows is not true. As stated above, the third party software is what is responsible for the security holes in almost every case.

[CMonster]

3rd party applications with code open to inspection allows security flaws to be more readily identified and patched. 3rd party applications are generally being run with very limited permissions on the UNIX model -I can't say that has always been the case with other platforms.

I may also be guilty of taking the suite of applications collectively and calling them an OS, as many users commonly do, leading me to suppose that just about everything other than the base OS kernel could be called a 3rd party application. At what point is the cut off --compiled drivers are OS but module drivers are 3rd party?

Anyway, my basic point was that security in obscurity is a myth - Linux-os-suite-of-applications are hardly obscure to hackers, but perhaps a little more abstruse to the script kiddies.

[SeanC]

I agree that Linux is definitely not obscure anymore. But it's fairly safe from the "script kiddies". In general, you need someone that truly knows what they're doing to crack a Unix-based system.