Badger Linux

Why Linux is More Secure Than Windows

In my last post, I showed how the vulnerability counts for Ubuntu Dapper LTS were lower than Windows Vista. However, I also mentioned that this should be used only to counter Microsoft FUD, and not as a measure of security. What, then, shows that Linux is actually more secure than Windows.

To answer this, we first have to look at what security actually is. Too many people make the mistake of calling a product secure, e.g Linux is more secure than Windows, Opera is more secure than IE etc. Now, security is not a product. It is a process with the user in a central role. Security is a state to be actively attained by proper interaction of the user and the software. Vulnerability patch management is just an important part of this process. What are perhaps more important are proper tools for patch management, stronger defaults and a multilayered approach to security keeping in mind the practical security scenario for that particular software, with the user forming both the first and last line of defence.

With this is mind, I turn to the reasons why an educated user using a Linux distro is in general more secure than while using Windows:

Much better patch management tools: In Windows, the automated update procedure just updates the components supplied by Microsoft. No third party applications are patched. Now, third party applications make up the bulk of the security vulnerabilities. Using Real player? You have to update separately. Using Flash? Update separately. So, for all applications, you have to regularly check for updates for each and every software. This is extremely cumbersome, (though, fortunately, this experience is made tolerable by use of the Secunia PSI) and most users just forget to do it. In Linux, you have automated update system which will update all your software. In Ubuntu, any product you have downloaded, if present in the repository, will be updated at the single click of a mouse. In other distros, if the downloaded software is not present in the repository provided by the distro, adding the product repository is a one time process. This greatly increases user compliance in staying fully updated.

Much stronger default configuration: Linux was designed to be a multi-user system. Therefore, the underlying system files will remain protected even if the user is compromised. If, unfortunately, any remote code execution takes place, it will only take place locally. This is to be contrasted to Windows XP, where the user logs in as administrator by default, and any compromise takes on a system wide character. Windows Vista has also moved to a limited user account by default, and therefore is more secure than its predecessor.

Modular Design: Linux is modular by design, that is, any system component may be removed if unnecessary. As a result, if the user feels that a part of the system is more insecure, he or she may remove that component. The same cannot be said of the Windows system. e.g If I feel that Firefox is the most vulnerable part of my Linux distro, I may remove it completely and replace it with another browser, say, Opera. In Windows, I cannot remove Internet Explorer.

Better tools to protect against zero-day attacks: It is not always sufficient to keep oneself fully patched. Zero-day attacks (an attack where the exploit code is released before the vendor patches the vulnerability) are increasingly becoming common. One study has also shown that it takes only six days for crackers to release exploits, it takes vendors much longer to release them. Therefore, a sensible security policy will make provisions for zero-day attacks. Windows XP has no such provision. Vista, in protected mode, though useful, provides only limited protection to Internet Explorer Attacks. Contrast it to the protection provided by AppArmor or SELinux, both of which provide finely granular protection against any types of remote code execution attacks. It is increasingly becoming common for Distros to ship with AppArmor (e.g SuSE, Ubuntu Gutsy) or SELinux(Fedora, Debian Etch, Yellow Dog) by default. In others, they can be downloaded from the repositories (e.g AppArmor in Mandriva 2008)

Open Source Architecture: In Linux, it is mostly “What you see is what you get” as far as security is concerned. The Open code means that vulnerabilities are seen by “many eyes” and fixed as fast as possible. What, more importantly, this also means, is that there is no scope to hide the patched vulnerabilities, there are no hidden fixes. The user, if motivated, may find out the security issues known for his Operating System, and take precautionary measures against potential exploits, even if the vulnerabilities are not patched. In the Windows world, however, many security issues are hidden. Internally found flaws are not publicly released, and the vendor waits for a major update or service pack to patch silently. While this may lead to lesser vulnerability counts, and better publicity using flawed statistics, this keeps the user in ignorance. As a result, an user may not patch a system if he finds that he is not vulnerable to the reported vulnerabilities, while he may, in reality, be affected by a hidden patch.

Diverse Environment: The Windows environment has been likened to a monoculture. There is great homogeneity which makes it easier for crackers to write exploit code, viruses and the like. Compare this to the Linux world. Here, a program can be a .deb, .rpm, or source code, to name a few. This heterogeneity makes it difficult for crackers to have the widespread impact that is possible on Windows

Badger Linux Net

wwww.badgerlinux.net

With the recent upsurge of popularity in Linux based systems, IT admins have been asking the question of the TRUE cost of Linux. What impact does it have on the enterprise in regard to training, support, etc? While some claim that the cost of Linux is fattened by a little extra user training (a claim I happen to disagree with), what about the extra administration and maintenance that has to be done on Windows systems?

The general rule of thumb about computer security is that software is inherently insecure and will require updates. While Windows does keep a good handle on things with Windows Update, a few caveats exist. First off, Microsoft has been notoriously slow at providing security updates to certain critical vulnerabilities over the past few years. Secondly, Windows Update only updates software provided by Microsoft, namely Windows and Office. Third, several very severe security vulnerabilities in the core of Windows operations that have yet to be addressed, such as the “net user” command. On the flipside, most mainstream variants of GNU/Linux feature an advanced package manager that takes care of software updates for every peice of software installed by the package manager in a single process. In my experience, the best package managers that provide the most software belong to Ubuntu and Gentoo. Debian/Ubuntu’s apt may be preferable to more people because of its speed and simplicity but Gentoo’s Portage offers more code and build customizability than any other package manager and features more packages than most package managers. Because of the centralization of application administration, updates to all packages on a system can be easily scheduled and administrative overhead eliminated.

I’ve seen several computer-literate people have the misconception that package management is difficult and they’d rather do it the Windows way and download their software from whatever website they like the best and trust that its valid software and is free of malware. I have experience with this type of program administration and I can faithfully say its flawed. I’ve downloaded software on a Windows machine from so called trusted websites and gotten various forms of adware and spyware and I don’t like the paradigm. Linux package managers on the other hand are closely guarded and administered with verification mechanisms in place to counteract a bad seed administrator. Ubuntu’s apt repositories use message digests to verify that the other repositories are using the correct version/copy of the package. This discourages disgruntled server administrators or malicious hackers from placing a bogus package in the repository that may contain viruses. Package management is truly one of the greatest innovations to ever come to computing.

I go to school at a technology center for IT studies and the class has to take care of the school’s IT maintenance needs. Just today, we did a full cleanup schedule on all the pcs in the school. The process took the entire class (25 people) all day to complete and not all the school’s 250 PCs were completed. It occurred to me that running anti virus/spyware, registry cleaners, disk cleanup utilities, and defrag consume far too much maintenance time. For an IT department to spend this much time completing a task is beyond me. Sure, some of the tasks can be scheduled to complete automatically but they still need to be verified and the task has to be scheduled to begin with. How much time does the average IT department spend taking care of weekly or bi-weekly maintenance on Windows machines? Do IT departments even bother with it? If not, what about the risk of malware infections?

I abhor having to do this maintenance at school, mainly because I NEVER have to perform it at home. At home, I use nothing but Linux based systems. I have been using some form of Linux as my operating system for nearly 10 years now (fully ditched Windows about 5 years back) and I’ve never had a virus. I’ve never had spyware. Linux filesystems don’t get nearly as fragmented as NTFS and I’ve never defragged a Linux box. It seems to me that all this talk about the true cost of Linux is taking the spotlight while no one is really asking about the cost of Windows. Not only are the licenses grossly overpriced but the cost of properly maintaining a working system wastes valuable time for the IT department. While they’re taking care of these annoying little tasks, something more important has to wait in the wings. I’d like to hear some IT managers’ positions on this and see how much time they spend maintaining Windows systems in their enterprise.

Lake Manitoba Narrows Plots

www.bayareaword.com

www.badgerlinux.net

Badger Linux