Linux is a security mess

Or at least so this article claims. Now while I have read it, I understand close to nothing about the complexities and inner workings of the system, I’m the most plain-jane user you can think of, so I have no idea if and how wrong the claims in this article are.

This is why I’m asking you. What do you make of it?

I am not an IT security expert but I can see that this article is one-sidedly picking out negative aspects and not really weighing them up rationally. Advantages of Linux over other operating systems are not mentioned and everything is very theoretical.
In practice, Linux desktop systems are quite secure and I am not interested in theoretical advantages of Windows when the Internet is so full of Windows malware.

5 Likes

Not to speak of all other issues like Microsoft spying on you constantly, backdoors to the Five Eyes and other institutions, the ever coming system wide lockdown into their store etc. As far as I’m aware, windows doesn’t even offer disk encryption by default (Most distros give you the option at install) which is the easiest attack out there, steal a laptop and you own all the users files instantly.

3 Likes

The biggest security problem of any system, is the person sitting in front of it.

(or the person doing the administration for it)

6 Likes

The article is focusing on bolt on security tech, some would argue that those lines of code are just another layer of potentially exploitable bugs. I wonder how the author would view OpenBSD or other more minimalist approaches.

The answer should be empiric are linux systems exploited to a larger extent than win/macosx?

I like how it disparages existing sandboxing in section 1 and later disparages namespaces in section 3, because AFAIK the main purposes of namespaces is sandboxing… It also praises Windows from removing font parsing from its kernel, while it has never been in Linux kernel to start with.

Meanwhile in Redmond…

2 Likes

The biggest problem I see with this article is that the author is talking about “Linux” pretty generically. I guess from context they mean specifically “Linux on the Desktop”, but even still that is a very broad and diverse category to make such declarative statements about.

Just starting off in section one, he compares Desktop Linux to ChromeOS. While ChromeOS is not typically considered a Linux Distro, it actually does use the Linux kernel and shares quite a bit of userspace in common.

If strict sandboxing is your idea of security, you’d be hard pressed to do better than Qubes, a distro that is all about strictly sandboxing your applications and data.

Support and tooling for sandboxing applications varies by distro, with most being very permissive in the name of convenience, but several (particularly those aimed at professional, enterprise use) supporting some very strong sandboxing features by default.

The author cherrypicks two examples that are easily skewered, but fails to mention SELinux at all.

In the non-desktop space, containers have all but become the de-facto standard. So hosted applications are strongly sandboxed by default.

Section 2 is entirely misguided. First of all, the is no evidence that the choice of programming language has any impact of the overall security of an application. In fact, the most recent research I’ve seen suggests that there is no correlation at all between the language an application is written in and the number of severity of vulnerabilities found in that application.

Furthermore, Window and Mac “moving towards” Rust and Swift is basically nonsense. The vast majority of both operating systems, including the kernels of each, are still written in C++ and C. Nobody is going back and re-writing Microsoft Office in Rust to take advantage from memory protections.

The thing that all three (Windows, Mac, and Linux) ARE doing is implementing memory address protections in their kernels that apply to all of userspace, regardless of the language applications are programmed in.

Section 3, he blasts Linux’s kernel, then admits that Windows does no better. Even worse, Windows relies on code signing to protect users from malicious kernel code (third party device drivers). The problem is that Nvidia’s signing keys were leaked by hackers, and ever since malware authors have been using them to sign exploits that Windows systems trust by default.

Linux users rarely need to download and install third-party kernel code (like device drivers) and so kernels can be compiled with module loading disabled and render this entire attack vector moot.

Skipping to the end, in Section 8 the author seems to willfully misrepresent some of the other security researchers they cite as agreeing with their views. For instance, Joanna’s praise of Mac OSX could also be seen as throwing shade at them for adopting features that QubesOS had developed almost a decade prior.

All this to say that yes, Linux security is a mess. Just as Linux audio is a mess. Linux anything is a mess. Linux is messy, that’s just what it is.

Windows and OS X and ChromeOS have messes and warts of their own. The difference is that with Linux, at least you can choose to make it your mess. With Windows, OS X, and ChromeOS, you’re pretty much stuck with the mess you’re given.

I’ve been using and developing on Linux for about two decades now, with a persistent focus on security. I can acknowledge that there’s plenty of room for improvement. However I don’t agree with the author’s assertions that Linux itself is lagging behind the commercial alternatives. If they’re looking only at Ubuntu and other “bridge” distros (the ones that cater to people switching from Windows or OS X) then it will seem more dire than what I would consider typical for more security-focused distros.

9 Likes

If anything, Linux is AHEAD of the game on this one. Of the three, it’s the only one where Rust has even received consideration for use in some kernel components, let alone actual work being done.

As to whether or not Rust is all it’s cracked up to be - I’ll leave that to others. I’ve found toolchain API/ABI stability to be… questionable. If nearly every Rust program on the planet is basically BUILT by an integrated package manager (cargo), and nearly every Rust program needs a different toolchain version than what is installed by a distro package manager forcing you to use rustup, you’ve got a problem.

But if one wants to insist that “moving to” Rust is a good thing, Linux is way ahead here.

1 Like

In my short time in an IT informed municipal unit, one of the keys to solid security is active awareness and involvement. There is no greater risk than to sit and cross your arms and say that the work and watch is over based on one’s general opinion of particular sets of tools such as OSes. Assumptions, slow/apathetic response, unwillingness to learn, laziness and

make systems fragile.

but fails to mention SELinux at all.

Not really: “Linux has yet to provide strong mitigations against this avenue of attacks. SELinux does provide the execmem boolean; however, this is rarely ever used”

But yes, there is much more to say about it (even if Linus T doesn’t like it much IIRC).

That’s true, the author does mention it briefly later on, but not in Section 1 while discussing other tools that provide similar access control protections.

Torvalds is pretty dismissive of security in general. It’s just not a topic that interests him at all. I think he considers people who build hardened distros to be tin-foil hat nut jobs.

Abstractly speaking, Linux has been on my RB2011UiAS-2HnD-IN router for about 10 years now. True, everything there is modified, but it’s Linux.
However, for the file dump I use TrueNAS and this is fbsd. Well, I’m afraid of all sorts of btrfs). I’m a bit more relaxed with zfs.
I don’t agree about the security chaos under Linux. Linux disciplines a person. It disciplines everything.

Reading the article - the impression is that the other systems - Mac OS, Windows and Chrome are much better than Linux.

Oddly enough - despite how much better they are (according to the author of the article) they are still compromised.

At the end - likely all of them have both pluses and minuses.

Well, Poettering agrees with him.

Probably the few places Linux falls behind from the perspective of modern security practices is the lack of code signing/notarization/authenticated boot. A lot of distros do full disk encryption poorly too. Personally I’d like to see a Windows style process based firewall as well I don’t want to open port 443 for everything, just his particular binary. SELinux fills a gap here for sure as it can block rogue processes from binding to a port but I’d still like to see it at the firewall level. As much as Wayland is panned (rightfully so IMO) for missing some features it does bring some much needed security improvements on the desktop side as each application can no longer see everything else on your environment by default.

While I think code signing/notarization/authenticated practice is a huge problem from the FSF and free software side (at least as it’s implemented currently by the tech companies) there’s definitely and argument for it for most people as far as security goes. Having the whole stack down to the firmware authenticated and checked would prevent programs and operating system components from being replaced unknowingly. I would want a way to disable it or provide my own key or something so I’m able to run anything on my machine, but for the in laws? Yeah, no, they don’t need to run anything not from the App Store. They can’t be trusted with a web browser really.

I think there is a strong fallacy with open source == more secure. I think maybe 20 years ago this was more true as security research wasn’t such a big field and there were fewer companies out there looking for exploits and selling them to the highest bidder. People who looked at code were generally more interested in improving it and there wasn’t a lot of financial motive to not report something like there is now. Nowadays I think closed source stuff has s slight edge just from a slightly higher barrier of entry. Plus, generally Microsoft and Google have strong bug bounties programs and professional security auditors. Apple has an OK bug program but not great. Even with that there are still plenty of big “uh oh” moments with those. Open source today I think can be a bit of a liability. I still love and use libre software everyday but I think overlooking the “mercenary security researcher for hire” problem now because we have a moral high ground is a poor decision.

Ultimately, at least at the organizational level, all your security can be defeated by someone offering the right person a sack of money and a passport to a country without an extradition treaty really.

1 Like

The issue with systems is that they are only secure (factoring in known vulnerabilities and mitigation) until the next breach. Given the complexity and volume of code, there are most definitely more angles of attack than ever before as code becomes lengthier and more complex. Hence, open-source is more secure breaks down, since it would be harder to sift through it all. Still, there is something honest and practical about open code. I wouldn’t trade it for closed even though I would not enjoy reading or understanding the source in great detail. I may be a :nerd_face: but I spread my time between preoccupations like jam.

So, corporate involvement in open-source good? Debatable but it allows for more eyes on the code, even though the extensions and real benefits from the relationship will be behind a walled and bounty-filled garden.

I agree. I’m not planning on running Windows anytime soon although I would be lying if I said I was not tempted my an ARM Mac. They are quite nice. But I wouldn’t be switching because I thought it would solve my security problems, just that it’s a nice piece of hardware and really macOS is pleasant to use. But there’s not a technical nirvana just trading one set of problems for another. For me losing control of my device isn’t worth some marginal gain in security considering my threat models. Now if I were the target of some state sponsored things? Maybe. But at that point I’d just give up computers and send you all letters written on my beautiful IBM Selectric III.

Hey, now there’s an idea! Analog pixls.us! Mail each other written forum posts and prints.

Speaking of per-occupations I think I’m on of the few people east of the Mississippi that can repair those. Beautiful but the only thing more mechanically complicated I’ve taken apart was a non-electronic automatic transmission.

Corporate involvement brings its own problems but also some benefits. I worry about Google’s involvement in Debian for sure. I work in some of these fields and some of the so-called security researchers that are basically guns for hire really don’t rub me the right way. The whole thing with the Pegasus malware is a good example of that. That’s what concerns me about open source these days. As you say lots to dig through and it seems there’s good financial incentive for someone to do it and built a rootkit, malware or other nasty to sell to whoever instead of reporting it.

1 Like

Snails and trolls would not get along; however, pranksters and terrorists may replace the latter. I may have to wear protective gear and teach my old dog to alert me of dangerous packages.

1 Like

I disagree on this, unless you’re referring to application binaries. Linux has supported secure boot for kernels and kernel modules for years, along with a way to provide your own key.

For applications - there are solutions, but they have so many side effects that they generally don’t get employed unless the distribution is extremely hyper-focused on security. (dm-verity on Android is NOT popular with the enthusiast crowd…)

1 Like

Operating systems use code signing, sandboxing, firewalls and other security measures. Still the largest problem for private computer users, public administrations and companies are very simple ransomware attacks.
At least with regards to these threats, at the moment, I feel more secure as a linux user.

2 Likes

Ultimately yes I mean the whole stack. Without the userspace it’s like that XKCD comic where yeah the system is protected but your data is still vulnerable from rogue userspace stuff.

While Linux supports secure and authenticated boot most distros don’t support it in the best way. Hopefully that improves.