I tend to disagree that Linux is more secure purely because it is open source. Yes, there is a great advantage to being able to see the code with many eyes to make it better; however, marketplace penetration really isn't there for Linux, so I feel it's premature at best to claim this approach is better than "security through obscurity". This is why the Heartbleed topic was brought up! OpenSSL is open source and yet a huge flaw was found.

OpenSSL is an application, not an OS. It's available for Linux, BSD, Mac and Windows. You are comparing apples and oranges.

The real test to how secure an OS is when it is targeted almost exclusively by hackers like Windows currently is today.

That's the common unproven Microsoft's claim. It's not only unproven, but it's non-sense. What are the more profitable computers for crackers? Your PC? My PC? Wrong! The computers of banks, Facebook, Google, ... And they don't use Windows. They use z/OS (banks) and Linux (Facebook, Google, ...).

Note that I am not claiming Windows is more secure!

Then you agree with me that Windows is less secure than Linux?

Far from it. My position is that there is no such thing as a secure OS

As I said, there are some simple OSes than can be considered secure, if correctly implemented. It's a long explanation, but it appears in some books, like Tannenbaum's "Modern Operating Systems" (the chapter on security).

Security of OSes can be compared here:

http://web.nvd.nist.gov/view/vuln/statistics

It uses CVSS for scoring. You can see that Linux is clearly more secure than Windows.

What are the more profitable computers for crackers? Your PC? My PC? Wrong! The computers of banks, Facebook, Google, ... And they don't use Windows. They use z/OS (banks) and Linux (Facebook, Google, ...).

It uses CVSS for scoring. You can see that Linux is clearly more secure than Windows.

A fair bit contradictory don't you think?

---

I tend to disagree that Linux is more secure purely because it is open source. Yes, there is a great advantage to being able to see the code with many eyes to make it better; however, marketplace penetration really isn't there for Linux, so I feel it's premature at best to claim this approach is better than "security through obscurity". This is why the Heartbleed topic was brought up! OpenSSL is open source and yet a huge flaw was found.

OpenSSL is an application, not an OS. It's available for Linux, BSD, Mac and Windows. You are comparing apples and oranges.

Claim: open source is more secure because more eyes are looking at it, and by extension Linux is a more secure OS because it is open source. (If X is true, then Y is true because Y = X)

Antithesis: Heartbleed is a flaw in an open source application that affected many systems despite being open source.

Conclusion: Open source is not more secure, therefore if X is != true, Y is true also then falls apart. You can no longer claim that Linux is inherently more secure because it uses open source as an example has been shown that proves that first claim false! You can, of course, change your argument to give other reasons why you believe Linux to be more secure, and those will be reviewed and investigated like all other claims.

We are not comparing apples to oranges. We are refuting false claims oft-repeated by Linux afficionados. Try to take into account what we're comparing before you make a claim that we're not comparing it right.

The real test to how secure an OS is when it is targeted almost exclusively by hackers like Windows currently is today.

That's the common unproven Microsoft's claim. It's not only unproven, but it's non-sense. What are the more profitable computers for crackers? Your PC? My PC? Wrong! The computers of banks, Facebook, Google, ... And they don't use Windows. They use z/OS (banks) and Linux (Facebook, Google, ...).

If a thief wants to maximize their profits, robbing a bank would be the better payoff, but they have to deal with the increased security, and all the alarms in place used by professionals for such an event. Alternatively, a thief that doesn't want to get caught can instead rob people's homes, most of which do not have advanced security systems in place. The payoff will be less, but not getting caught means you can move on to more of them to increase the profits.

That is exactly your example, and that is exactly why your example is more complicated. Sure, a bank's computers are more profitable than a standard home PC! But if a hacker actually wants to make off with the goods without being caught, they have a great chance doing so on "common" systems by trying to grab bank accounts of regular people. Most people use Windows, therefore Windows has a large target on it's back. Do you honestly think that if Linux held 95% of the world's OS marketshare and Windows only had 1%, that somehow there'd be less exploits? You're foolish if you do.

Note that I am not claiming Windows is more secure!

Then you agree with me that Windows is less secure than Linux?

No. I am saying that the security of a system is directly related to the person's expertise in using it. Someone who doesn't know what they're doing are just as likely to fall for a socially engineered piece of malware whether they're using Windows or *nix. And given Linux's market penetration in the desktop space, it's hard to see how anyone can claim with a straight face that it is more secure because it receives less attacks.

Far from it. My position is that there is no such thing as a secure OS

As I said, there are some simple OSes than can be considered secure, if correctly implemented. It's a long explanation, but it appears in some books, like Tannenbaum's "Modern Operating Systems" (the chapter on security).

The security of an OS has little to do with how it is implemented and everything to do with human/operator error. You can have the most secure OS in the world, but if a user does something they're not supposed to and allows a hacker to get in through a socially engineered attack, all that security means nothing.

Security of OSes can be compared here:

http://web.nvd.nist.gov/view/vuln/statistics

It uses CVSS for scoring. You can see that Linux is clearly more secure than Windows.

I also note these statements on that page:

This is a general purpose vulnerability statistics generation engine.

and

Important Note: Linux distributions are often made up of a large collections of independently developed software and it is sometimes difficult to determine which software packages should be considered part of the operating system and which should be considered independent but merely included along with the operating system. In addition, some vulnerabilities occur within the Linux kernel and for those vulnerabilities we do not enumerate all of the hundreds of Linux distributions. Thus, the statistics related to Linux must be interpreted carefully.

My emphasis has been added for clarity. So it seems that the findings on that site in regards to Linux aren't very accurate, and they designers proactively state they need to look into their tool and fix it. Do you really want to rest your case using such a weak tool?

Yep, banks security issues are detected quickly, and most flaws don't need to be the OS. Social engineering has always been greatly effective at targeted attacks.

Mobile devices are now getting hacked. How many of them are windows based? The big players I see are Apple, And Google. Isnt google a linux code?

---

[/quote]

Old James

A fair bit contradictory don't you think?

Why?

Claim: open source is more secure because more eyes are looking at it, and by extension Linux is a more secure OS because it is open source. (If X is true, then Y is true because Y = X)

I didn't said that. I didn't said that all open source is more secure than all closed source. I did said that Linux is more secure than Windows because it's open source and by other reasons (Unix design decisions, etc.).

And, as I said, you are comparing apples and oranges. We are talking about operating systems and you use as an example and application that is available for all operating systems.

If a thief wants to maximize their profits, robbing a bank would be the better payoff, but they have to deal with the increased security, and all the alarms in place used by professionals for such an event. Alternatively, a thief that doesn't want to get caught can instead rob people's homes, most of which do not have advanced security systems in place. The payoff will be less, but not getting caught means you can move on to more of them to increase the profits.

That seems an excuse to me. If the big companies that need security don't use Windows, then Windows security can't be so good. And, if they use Linux, then Linux security can't be so bad. There is a clear preference in these companies for Linux over Windows.

The security of an OS has little to do with how it is implemented and everything to do with human/operator error.

That's simply stupid. If an OS has less vulnerabilities, then it's less easy for an user to make the system fail or be attacked.

My emphasis has been added for clarity. So it seems that the findings on that site in regards to Linux aren't very accurate, and they designers proactively state they need to look into their tool and fix it. Do you really want to rest your case using such a weak tool?

In a nutshell, the 2 caveats are:

- Some software can be considered an app or part of the OS, and it's not always clear. My response: This software isn't so important for our discussion, it's like your OpenSSL example, software that is available for many systems.

- The are lots of Linux distros, so we only show a few. My response: This is also not so important for our discussions. A few Linux distros will suffice for a comparison.

Did you actually inspect the statistics?

Claim: open source is more secure because more eyes are looking at it, and by extension Linux is a more secure OS because it is open source. (If X is true, then Y is true because Y = X)

I didn't said that. I didn't said that all open source is more secure than all closed source. I did said that Linux is more secure than Windows because it's open source and by other reasons (Unix design decisions, etc.).

"I didn't say that but I just said it". You're contradicting yourself. You're not saying that open source is more secure than closed source, but you're saying that Linux is more secure than Windows because it's open source.

And, as I said, you are comparing apples and oranges. We are talking about operating systems and you use as an example and application that is available for all operating systems.

No, we're talking about the claim that open source makes a software more secure, such as your comment above that Linux is more secure than Windows because it is open source. A real-world example has been offered that shows that open source software isn't inherently more secure (regardless if that software is an OS or not), thus directly addressing the claim that Linux is more secure than Windows because it is open source.

You can keep claiming we're comparing apples to oranges, but then that shows you're unwilling to address the arguments you're raising to support your claim by misdirecting the argument as a false comparison when in fact it is a direct rebuttal to at least one of your claims.

If a thief wants to maximize their profits, robbing a bank would be the better payoff, but they have to deal with the increased security, and all the alarms in place used by professionals for such an event. Alternatively, a thief that doesn't want to get caught can instead rob people's homes, most of which do not have advanced security systems in place. The payoff will be less, but not getting caught means you can move on to more of them to increase the profits.

That seems an excuse to me. If the big companies that need security don't use Windows, then Windows security can't be so good. And, if they use Linux, then Linux security can't be so bad. There is a clear preference in these companies for Linux over Windows.

I work for a company that moves more money than most banks do in any given month (we are technically classified as a bank). We have over 60,000 employees in over 125 countries. My company uses Windows for most of it's servers, but we do use Linux where appropriate. To claim that big companies only use Linux and that Linux is solely chosen for it's security is misguided at best. Companies use whatever tools they feel will get the job done. Some banks still use OS/2 Warp for their ATM machines purely because it is so old, and so few people are familiar with it that it isn't hack-worthy.

No one needs to crack the OS to get information. They only need to crack the applications that run on the OS. How many times have we seen in the news where hackers are getting into company's database systems and stealing credit card information? (Yes, those same big companies you claim are all running Linux.) If you're only trying to prove one OS is more secure than another, you're missing the bigger picture in the security world.

The security of an OS has little to do with how it is implemented and everything to do with human/operator error.

That's simply stupid. If an OS has less vulnerabilities, then it's less easy for an user to make the system fail or be attacked.

That's short-sighted. You don't need to crack the OS or make it fail to get what you want out of an application running on it.

In a nutshell, the 2 caveats are:

- Some software can be considered an app or part of the OS, and it's not always clear. My response: This software isn't so important for our discussion, it's like your OpenSSL example, software that is available for many systems.

And again you're being extremely limited in your view. Security is more than just the OS, therefore it is important for our discussion. A computer system is more than just it's OS and most computers doesn't live in an isolated world.

- The are lots of Linux distros, so we only show a few. My response: This is also not so important for our discussions. A few Linux distros will suffice for a comparison.

I'm unconcerned with how many distros they list, and I never claimed it was important.

Did you actually inspect the statistics?

Did you give me reason to trust that the statistics are important and weighted correctly? Because I'm pretty sure I just gave you reason to believe that they are not (which, of course, you dismiss).

Since you clearly lack basic knowledge on computer security, I'll stop discussing about this with you.

Since you clearly lack basic knowledge on computer security, I'll stop discussing about this with you.

That's very narrow-minded of you. did you not read his post fully?

I work for a company that moves more money than most banks do in any given month (we are technically classified as a bank)

...that alone states, especially as he is an I.T. tech of some standing, that he is aware of even basic security so disproves your statement.

---

...

I work for a company that moves more money than most banks do in any given month (we are technically classified as a bank)

...that alone states, especially as he is an I.T. tech of some standing,

Quite possibly...

... that he is aware of even basic security so disproves your statement.

Hardly...

There's been lots of blather about basic human weaknesses about security, possibly.

However, I've seen nothing actually discussing an awareness of ideas such as "security by design"...


And then, what systems do you trust? The pretty big friendly coloured easy-click button saying "Trust Me" backed by expensive Marketing? Or something that you know has a good history of honest consistent security?


IT is what we allow it to be...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

And then, what systems do you trust? The pretty big friendly coloured easy-click button saying "Trust Me" backed by expensive Marketing? Or something that you know has a good history of honest consistent security?

Where Linux is concerned, many home users couldn't give a rat's ass about security if they can't get it to work in the first place.

Home Users dilemma...

Microsoft = Windows Home/Professional

Linux = ???? ??? ???? for chirst's sake, which one do I pick...

...Ah bugger this for a game of soldiers, just stick Win XP/Vista/Win 7/Win 8.1 on it, I know how they work!

Home user satisfied.

To get Linux into the homes & having a market share such as Microsoft's will entail Linux geeks leaving forums such as these and become the "Jehovah Witnesses" of the I.T world.

---

To get Linux into the homes & having a market share such as Microsoft's will entail Linux geeks leaving forums such as these and become the "Jehovah Witnesses" of the I.T world.

The "home" is not where the future of computing is going. Where is Linux for smartphones?

---

To get Linux into the homes & having a market share such as Microsoft's will entail Linux geeks leaving forums such as these and become the "Jehovah Witnesses" of the I.T world.

The "home" is not where the future of computing is going. Where is Linux for smartphones?

Android.

The "home" is not where the future of computing is going.

True, it will be in "the cloud", a true misnomer if I ever saw one - a "modern" rebranding of something that is at least 25 years old.

The future of computing will not be in computing itself but in the "Security of the cloud" regardless of what O/S will be used.

The cloud is not & never will be 100% secure & each company that provides "a cloud" will have to secure their clients data or else their clients will move to one "more secure".

Personally, I prefer my data on a local storage under my complete control and will never be asked to pay a subscription fee to access it.

---

Since I clearly lack basic knowledge on computer security, I'll stop discussing about this with you.

TFTFY

To get Linux into the homes & having a market share such as Microsoft's will entail Linux geeks leaving forums such as these and become the "Jehovah Witnesses" of the I.T world.

The "home" is not where the future of computing is going. Where is Linux for smartphones?

Android.

With 81.3% of the market I assumed Google was behind the open source to keep M$ and Apple out of their business of spying for advertisers.

---

To get Linux into the homes & having a market share such as Microsoft's will entail Linux geeks leaving forums such as these and become the "Jehovah Witnesses" of the I.T world.

The "home" is not where the future of computing is going. Where is Linux for smartphones?

Android.

With 81.3% of the market I assumed Google was behind the open source to keep M$ and Apple out of their business of spying for advertisers.

You are correct.

To get Linux into the homes & having a market share such as Microsoft's will entail Linux geeks leaving forums such as these and become the "Jehovah Witnesses" of the I.T world.

Finally, you and Chris agree on something.

---

Life on earth is the global equivalent of not storing things in the fridge.

We've always agreed, even to disagree :-)

I use Apple, Microsoft & Linux, none of them are better than the other - each has its own strengths & weaknesses.

---