Monday, April 5, 2010

Linux: As vulnerable as Windows?

Before any Linux users burn me in effigy, please read a little further. Enterprise Linux is rock solid and as secure as anything out there - and more secure than most. But how secure is desktop Linux?

Before answering that, perhaps we should think about why Linux in the Enterprise is so secure. Actually, we don't have to think about it because Fewt of the Fewt blog already has. And the conclusion he has come to is that the things that make installing and using desktop Linux so user friendly are exactly the things that make it insecure.

I'm ashamed to admit that I've never considered that the changes made to make desktop Linux simpler to install and run than enterprise Linux could create security risks. For instance, creating a single partition instead of having different partitions for different directories removes one of the security features of enterprise Linux. Fewt says it much better than I can:
With a Desktop Linux system, non enterprise savvy users are given the keys to a wide open platform and nothing protects them from the elements. We as a community have falsely sold our users that this platform inherits the security capabilities that you find within Enterprise Linux, we just aren't telling them the whole story.

By default, every single Desktop Linux system I have reviewed or tested fails in every possible way. None of the measures normally applied to protect Enterprise Linux systems are present to reduce risk of vulnerability. In addition those enterprise controls must be altered slightly as the use case is so greatly different than that of an Enterprise Linux deployment.

Are you using desktop Linux? Do you have the know-how to secure it, and if you do, have you? If you've convinced friends to run Linux, have you secured their systems for them?

Fewt doesn't just bemoan the fact that desktop Linux is not secure. He points users who want to secure their systems to resources to help them do exactly that:

https://help.ubuntu.com/community/Security
http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf
http://ubuntuforums.org/showthread.php?t=510812

He then offers the advice that if you find the information at any of those links too complicated you should stop using linux. He's not being snobbish or suggesting you have to be a Linux administrator to secure Linux. He's saying that if you're not comfortable taking the steps needed to protect your data - and perhaps your reputation - you should use an operating system that protects you while staying in your comfort zone.

If you are a user or a fan of desktop Linux I suggest you check out fewts blog entry and the links he gives to help you secure your desktop. He gives a very clear, very informative case for desktop Linux's insecurity.

In any security situation you're only as secure as the weakest point. Often that's the users password. In desktop Linux it looks like the OS itself may be the weak point. There are already enough weak links in any OS without opening the lock and throwing open the gate for the bad guys.