Thursday, November 20, 2008

Why Linux Is Not More Secure Than Windows

Alright, every once in a while, I come across a truly stupid Linux article and have to give it a rant of its own. This stupid post goes on to describe how Linux is more secure than Windows. Let's eviscerate this mismash of stupidity and FUD, shall we?
Since the 1970s Unix has had a proper permission based system.
So it has an old feature. Big deal.
Every computer has an “administrator” account called “root”.  The root account can perform any function whatsoever on the system.

That does not seem very secure. If an attacker can get the root password, the system is completely at his mercy. Plus, Windows NT/2K/XP/Vista has this feature as well.
You have access to one single directory known as your home folder.  To do any task, or for any program to execute any task, outside of your home directory, you will need to give it the root password.
You can setup this feature in Windows XP and especially Vista. Vista makes it easy to install and run as a limited user, and if an action requires administrative privileges, they are only a sudo away. Even in XP it is not terribly hard to create a limited account. I think the default account is 'Power User' who can install software but is still restricted in some ways.
Every file, program, etc.. has a series of three permissions on it.  One for the user, two for the group, and three for world (or everybody).  Each of these series has 3 different types of permissions, read, write, and execute. 
Only 3? Uh, Dude. I think you should Google something like Windows ACL (I just did it for you). You should find a site like this one.
Again, the registry, by default can be editted by anyone or any process running.
Since I wasted so much time with Linux, I am quite unfamiliar with the innerworkings of the Windows registry. Are you telling me that HKEY_LOCAL_MACHINE can be edited by users of any privilege level? I highly doubt it; otherwise, it would have definitely been listed as a criticism. Wait, I think you are still talking about the default permission thing, aren't you?
Linux doesn’t have a registry, it has a folder which contains configuration files (one file per application) that controls settings for JUST that program. 
Dude, ever heard of Gconf? It has all the features of the registry and all the problems.
Because open source software is open to the world, the code has many many more eyes on it.  So bugs and vulnerabilities get patched sometimes two and three times faster than corporations are able to patch theirs.
Yes, when a security flaw is found, the code can quickly be patched, but this is true in the proprietary world as well. The real test is getting the patched binary out to the users. When a major problem is discovered, like the WMF vulnerability a few years ago, Microsoft can move quite fast.
The problem is, the grand majority of users have no idea about computers, software, and technology.  They know what they need to know to perform their tasks and that’s it.
Yes, this is true. This is also something that many lusers don't seem to understand.
With Windows, you go scouring the internet looking for that program that will remove spyware, or help you balance your checkbook, or allow you to talk to friends and family over IM.  This is problematic as most people are unaware of what web sites offer legit, virus free, spyware free, applications that do exactly as advertised (for free or paid for).
Well, you could help them by giving them a link to (I did it for you again). I have heard that they run the software through some checks to prevent uploading malware. It is easier than teaching them how to use Linux.
In Linux it’s a bit different.  There is one place to get a majority of your software, and this same place has the ability to update all your software as well.
Of course the binary they are downloading is not always exactly the same as the one compilable from the code released by upstream. It often contains patches, and sometimes these patches can cause major security problems.
Many distributions use what’s called “Secure Linux”
Uhhh.... Mandatory Integrity Control? It was included by default in Windows Vista, which was released nearly two years ago.  Where have you been?
Again, when you install proprietary software, you never really know who has access to what.  Since the code is closed off, the maker of that software can include any backdoor they wish.
Yes, but if they screw up, the backdoor will be found, and if the backdoor is found, then people will be hesitant about using the software. A software company that needs buyers to give it money to survive will have a vested interest in not screwing its users (at least, not too much). Sure, freeware developers can include spyware as a revenue stream, but this just illustrates the principle of TANSTAAFL
And unlike the NSA developed SE Linux, this code is held private so no one can review it
There are many ways to find backdoors: running applications through a debugger, monitoring network connections (the big one), etc. Since this potential Windows backdoor was found, it looks like it is possible to find backdoors in closed-source software. It is also possible to include backdoors in open source software; just look at the Underhanded C Contest

So, basically, these are the security enhancements that Linux has over Windows? Call me a Micr0$0ft $hi11 if you want, but I do not think these 'advantages' outweigh Linux's other problems.

No comments:

Post a Comment