Posted on 09/05/2012 12:51:34 PM PDT by ShadowAce
There seems to be a recurring phenomenon in the technology press, where any trojan that affects Linux or Macs becomes front page news. On the other hand, trojans that affect Windows are mostly ignored, perhaps because this is considered to be the normal state of affairs.
There are two common statements made in the discussions of these rare events:
The first statement is almost correct, whereas the second one is a flat out myth in my opinion. Let me explain, and I’ll listen if you still disagree after reading the following in its entirety.
1. No operating system will ever be totally secure from Trojans... but only as long as they allow anyone to write un-sandboxed software for it.
If users have the ability to run anything, they can also install anything they are tricked into running. Anyone can trick people into running a script to format their drive on any operating system... if the user is gullible enough to click through the prompts and enter the admin password. There is only one way around this: Don’t let the users run anything they want!
Take the XBox 360, for example. It’s actually a full fledged computer, with huge marketshare, running a Microsoft operating system. Yet, with all these compounding points of vulnerability it has no known trojans floating around in the wild. Why? Because full system access is restricted to established companies with a clear chain of responsibility. Users can’t run unsigned software on the system, and even with XNA indie devs get only crippled sandbox access.
Apple’s taking this same approach with their Mac App Store. Apps delivered through the store must run in a sandboxed environment. Microsoft is also doing the same thing with their Windows 8 app store. If devs want to create their own apps with full system access, they won’t be able to play in these ecosystems. Of course, Apple and Microsoft still let their own apps, the ones devs will be competing against, run with full system access (look for anti-trust lawsuits here later).
After “Secure Boot” (i.e. restricted boot) is prevalent, and the operating systems are locked down to not allow anyone to sideload any non-OEM software, we could be completely free of trojans and viruses. That might be good for the average level of system security, but it would be a horrible blow to innovation, competition, and the indie/hobbyist developers.
2. Does system adoption directly correlate to an increased likelihood of viruses / trojans? No. Not in my opinion. There are many reasons Linux systems have fewer viruses, and market share is only one factor. I’ll address these from the Linux perspective. On the Mac side of things, several of the points don’t apply, as Apple has taken free software and brought it into its closed, walled garden.
A huge percentage of Linux software is installed from signed repositories:
1) The downloads themselves are cryptographically signed.
When a user downloads software and drivers for Windows, they’re typically doing it from many different websites on the internet, and trusting that the admins of every one of those sites is competent and has done their due diligence to implement the proper security. At the time of the download, there is no check to verify that the file the user is getting was actually created by a trusted source (and not a hacker that has pwn’d the site) or is being served by some man in the middle.
On Linux, with few exceptions, the hardware drivers are also included with the kernel. As for software, users typically download that from only a limited set of distro-owned repositories. All software is delivered in installation packages that are cryptographically signed and those signatures are checked at installation time. If a package has been replaced with a hacked version and was therefore not signed with a trusted cert, users will get a big fat error warning them of that.
2) The repositories (“repos”, for short) keep all of the software up to date, not just the kernel or things made by the distro creator.
When a security flaw is found in a Windows application, the vendor will usually put an update on their website. With the exception of a few MS partners that have their drivers on Windows Update, it is up to the user to go discover that and update their software.
On Linux, security issues can be raised and patches created by any entity, not just the original software author. These updates are applied and pushed into the repos for all applications. Users become aware of it almost immediately - as most distros check regularly and prompt users to click a button to update the app.
I finally found a trojan! It's a Windows trojan in my Junk email folder, that doesn't work on my Linux box.
More than 99% of the software is open source:
It’s not unreasonable to wonder “How does having the source code available for any nefarious hackers to peruse, make software more secure?”. The answer can be summed up in something Eric Raymond said about 13 years ago: “Given enough eyeballs, all bugs are shallow”.
In the Windows world, we are trusting the vendor to have done the due diligence to investigate their own code for buffer overflows and other exploitable flaws. No one else has seen the code, so automated software source scans/reviews are impossible.
In the Linux world, there are dozens of companies and security researchers that constantly run scans over the entire ecosystem of software in their repositories - not just the software they’ve developed themselves.
Open source code also tends to lend itself to re-use. In the Linux world, devs are not even going to be tempted to go implementing a security-centric feature like SSL libraries themselves, when there are perfectly working ones available for their open source apps to use for free. Having that code open, such that they can step their debugger into and fix any underlying bugs themselves, is a great asset.
On Windows, there’s a reinforcement of the “not invented here” mindset as apps re-implement the wheel for their closed-source project in order to avoid paying other proprietary software developers for a decently vetted utility library. A Linux distribution (distro) is more than just Linux. Linux is the kernel, and many of the other components are part of the GNU environment. Common packages (ex. Apache web server) are used in other open source operating systems, including BSD. And, in case you didn't know, the BSD guys are kind of nuts about security. So, these components have been scrutinized with a hundred fine toothed combs.
Combine the open-source nature of Linux with the repository system used for software distribution, and anyone can see why Linux exploits have shockingly short lifespans: When a 0-day exploit is found, the geeks rush to see who can come up with the best fix (since everyone has access to the source), and it’s pushed into the repos and out to everyone immediately.
Linux distros are diverse:
Successful trojans rely on some bug or flaw to exist, in order to gain elevated privileges. (I know: duh, right?) On Windows, malware authors can be pretty sure that the kernel bug that exists on their Windows 7 box also exists on your Windows 7 box (if both are up to date).
On Linux, these would-be-hackers would be extremely lucky if two different distros are running the same kernel -- much less the same patch-sets -- and maybe if they were built with the same compile options. The same bugs do not exist everywhere, which makes Linux a less viable target. It's still an attractive target (since a large percentage of the always-on servers on the Internet run it), it's just not as easily exploited at the OS level.
So, the conclusion is obvious: Even if they had the exact same market share, it is extremely unlikely that Linux would ever have the same number of exploits as we see in closed-source ecosystems such as Windows. This is a direct result of the open nature, which allows for innumerable companies and hobbyists to access and maintain all portions of the system--a feature that simply can't be replicated in proprietary operating systems. Linux will always have more eyes looking through the code to make it secure, than there are eyes looking through the code to exploit it.
I welcome any intelligent discourse on the topic, even if you disagree with me.
:(){ :|:& };: is NOT recommended to be run as root in a bash shell. ;)/johnny
bwahhahahhaaa
yeah right, nothing is 100% unless its turned off
Sometimes reading FR is slacking off and sometimes it is a productive use of time. This time it is the latter.
Thanks.
I think a large part if it is the technical abilities of the typical user of windows vs linux. The test will be how Mac fairs in the next few years because I’ve not met many windows users who can change looking seriously at windows 2012.
But you knew that, right?
bump
ping
Yup not even virus writers support IX..... ;)
Yup not even virus writers support IX..... ;)
Yes, that was my point. You’re right the author doesn’t overstate the strength of Linux but many people do. In all fairness its not usually linux that gets hacked, but the installed software.
We just had a client who had one of their linux web server hacked (Ubuntu) through installed software. It appeared to be a completely scripted hack but opened up some serious issues. Intruder installed a phishing site on their server and leveraged access to the DB server through Mysql. The DB server gave them complete access to the corporate network.
It's an attitude and a process.
3. Because the penguin does not have near as long an enemies list as Bill Gates does
“yeah right, nothing is 100% unless its turned off”
No guarantees on that, either. Ever heard of a ‘Wake-on-LAN-ping’?
Open source is much over-rated when it comes to protection from exploits.
In fact, in many cases it makes exploits easier.
There are any number of open source projects in wide use that are frequent targets of hacks.
Yup. Security is never “just install this OS and all your probelms are solved.”
It’s an attitude and a process.
________
I ran a super secure computer system for over 20 years and it is still in service even though hardware support is now very difficult to come by. Why is it still in service? It has a 100% record of never being hacked and has never failed for any mission it was assigned to. Mind you it came close a couple of times but still managed to carry through to the end.
It also has ZERO connection to the outside world. No internet access whatsoever. Today that really is the only way a computer system will be hacker-proof.
driftdiver: “yeah right, nothing is 100% unless its turned off”
MeganC: No guarantees on that, either. Ever heard of a ‘Wake-on-LAN-ping’?
I was once a sysadmin. In that past life I said “turned off” along with ALL wires disconnected. A sledge hammer also helps improve security, but the bosses wouldn’t let me.
Turn Vlad The Impaler loose on the writers of malicious code.
Until the penalties for doing this trash catch up with their consequences thing will stay the same.
BTW, as the man said, NOTHING is completely secure.
Are “permissions”, (sorry, old Unix term), used with Linux?
If so, would you please discuss their significance to the security of a system?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.