Linux anyone ?
Linux anyone ?
I don’t want to sound dismissive, this is a genuine question and not an attack on Linux.
Other than security by obscurity, how is it possible that an operating system whose entire source code is available to hackers to peruse at will could be more secure than a closed source one?
Security by obscurity doesn’t work. Microsoft software has always been closed source and it has never prevented hackers making exploits.
Open source software allows hundreds of thousands of people to comb over the code and find/fix vulnerabilities much easier.
It’s also true that because of the way Linux is developed, security flaws in Linux are patched much faster than in other projects, with Linux patching issues in an average of 25 days compared to Microsoft’s 83 days. And the gap is widening, recently Linux has got that down to 15 days.
There’s a reason companies go with Linux for servers that handle sensitive information or are business-critical. And there’s a reason why the best encryption algorithms are all open source.
Because if a vuln gets found or exploited, it gets immediately patched, often with some big backing by OEMs that run on Linux.
Open source also reduces the likelihood of exploitable bugs going unnoticed because everyone can see and play with the source code by themselves.
There is a risk of malicious merge requests, but so far that hasn’t been a problem besides a university getting banned for pointing out the issue with a live test without telling the devs.
Much of linux is also designed to be hardened by default because it’s used on so much infara. SELinux by itself is a great example because it was essentially created by RedHat and now is a major standard for MAC.
Windows on the other hand needs Microsoft alone to solve the problem. No one can patch it themselves, and there’s no guarantee the patches will work, which has happened several times. I believe print spooler basically had to be disabled because there was no good solution due to implementation.
The amount of Windows OS specific exploits vs Linux specific exploits kind of shows the results of closed source vs open source.
The worst vuln I can think of for Linux is dirty cow which is a local priv esc on basically Linux kernels 2.x-4.x which was a big deal when it was discovered because of the range of versions
Meanwhile windows had eternal blue, a whole remote code execution that existed on every version of windows since win95 that the NSA kept for probably a decade before it was leaked.
Imagine for a moment that the business world transitioned to Linux, and now there’s enormous incentive for all adversaries from state sponsored to financially motivated criminals to spend all their time hunting through linux source code.
-
Do you think the ideas above stand up? (I’m not saying they dont)
-
Would linux vulnerabilities be found at a higher rate? I wonder if they aren’t now because there aren’t as many eyes on them. Sure there’s corporate side project efforts and volunteers, just curious how that stacks up against the amount of research happening to break Windows systems.
-
NSA would definitely want to keep some linux exploits around if their adversaries were using linux instead of windows. I think the result would be the same regarding eternal blue.
Because many eyes are there watching it. While not everyone is an active kernel hacker, many parties have an active interest in certain aspects of the kernel, and watch source code and patches closely.
Yup. E.g. years ago Huawei tried to merge something in the kernel that had a glaring security hole, many speculated that it was a deliberate attempt to add an exploit to the kernel.
It was immediately spotted before it even got close to being merged, and of course it got rejected.
The likes of Google, Microsoft, RedHat/IBM, Intel, AMD, Chronos group, etc are always investigating what other companies are trying to implement into the kernel. They obviously won’t stand for any dodgy stuff from another company being injected into the kernel.
Everything is highly scrutinised, not just by the kernel maintainers, but also by the contributors.