Practical Technology

for practical people.

Linux Security: Good Enough


Linux is fundamentally more secure than Windows. There, I’ve said it.

ts not that Linux is some bulletproof wonder of security. Its not. If you want an operating system that really been built from the ground up to be secure what you want is OpenBSD. The crew behind it has made safe, sane security job number one before Bill Gates could spell security if you spotted him the s and the y.

But, to get back to the point, why is Linux more secure than Windows? First, its because Linux is open source. Yes, any cracker who wants can hunt for security holes all day long. Microsoft is closed source. If closed source is so much better for security, why is my virus detector still yelping every few minutes as the latest Windows virus, Swen, tries to e-mail it way in?
Indeed, what some security lunkheads claim is a flaw in Linux, its open source nature, has proven to be a security virtue. Potential security holes are spotted and fixed in Linux much faster than they are in Windows.

Don’t believe me? Consider, if you will, all of Linuxs security problems in the last year-and there has been lots-pile them all together and compare all the damage theyve done to real world productivity vs. the damage done in the last twelve months thanks to Blaster or SoBig or Bugbear or Badtrans or Elkern or Magistr or Sircam or Yaha or Nimda, and its clear that for all practical purposes, Linuxs security flaws are minor indeed.

Besides, Windows has always been insecure because of basic design flaws. Microsofts own fundamental operating system principles of enabling data and programs to work together at a low level has provided both the ability for programs to interoperate with each other over the network, from Windows for Workgroups dynamic data exchange (DDE) to Server 2003s ActiveX, while simultaneously giving crackers the ability to break into and corrupt Windows systems.
And, of course, thats exactly what theyve been doing. Over (ILOVEYOU), over (Melissa), and over (Blaster) again. Microsoft claims they want to do better. Indeed, Dave Aucsmith, Microsofts Security Business Unit CTO said back on April 18, 2003 if Windows 2003 was as vulnerable as previous versions of Windows, it meant that the companys security improvements approach “was wrong.”

Well, guess what, Microsoft was wrong. Dead wrong in the case of network administrators whove seen Server 2003 go down from one security exploit after another.

And, even now, after the worse summer ever for Windows security problems, after Ballmer has been humbled by Microsofts awful security, Microsoft is still up to its insecure tricks! What some find much to praise in Office 2003s collaboration features. I see bigger, badder security holes than ever. Yes, they are great features, but theyre also features that have hack me written all over them.

Linux simply never made this fundamental design mistake. In part, thats because Linux was always designed to work on a network and Windows, even now, is showing its desktop heritage of assuming that you can trust any data source. Of course, Microsoft has made some improvements like Enhanced Security Configuration (ESC) in the latest Internet Explorer and Server 2003, but, oh the irony of it all, to make such commonplace tasks as getting Windows own update patches, you have to amend and weaken your security policies to get work done.

With Linux security you dont have to play security games to make sure applications can work. Linux security is built on a foundation of stone, not sand.

Finally, there is no doubt that Windows is more popular than Linux. But, so what? Whining Windows defenders claim that its only because Windows is a bigger target that it gets hit so often. Nonsense. The real reason why Windows gets hit so often is because its an easier target. It it were popular and more secure, the script kiddies would be back playing computer games instead of games with Windows computers.

No, when push comes to shove, Linux has shown itself to be more secure than Windows in the real world. But, that said, the real secret to securing any operating system isnt the operating system itself. Its how its managers implement its built-in and third-party security tools.
For all of Windows recent woes, the simple truth is that most of them would have been mitigated has Windows administrators simply kept up with Microsofts security patches and used basic firewall measures. An unlocked door wont keep anyone else, but even a cheap lock will stop most petty online criminals.

Would Linux still be more secure? Yes, indeed. But, in the big bad real world, Windows could be doing a lot better.

To do security right, you have to be updating your programs and operating systems constantly. Windows, Linux, whatever. If you want your systems to be trouble-free, you need to take a lot of trouble. Hard work and constant diligence are the only real security answer. Its just that with Linux, you see, you dont have to work so hard.

A version of this story was first published in eWEEK.

Leave a Reply