They are, and they can't.

So Linux is the perfect operating system and is impossible to crack.
Sorry but I'm more than a little skeptical about that.
Heck if that's true I might even believe there's no global warming caused by humans.

 

So Linux is the perfect operating system and is impossible to crack.

It is possible to create a bad installation that is easily hacked. And this happens.

In general, Linux distributions are locked down by default, limiting the attack vectors.

The code can be seen by everyone, good and bad alike, unlike Windows. Zero day vulnerabilities are far more likely when the good guys can't see the code.

Kernel & userspace code is updated frequently. There is no expectation of binary compatibility going back years (decades, even), so existing vulnerabilities are easier to fix without affecting user experience.

Services run sandboxed. Hacking a single user or service in Linux does not expose the whole system, and limits the ability of malware to do damage and spread to other systems.

Linux is not a monoculture. There are many variants of the kernel, user space tools, and versions. Successfully infiltrating enough boxes to do significant damage is difficult. Exception: IOT is a huge problem right now. All IOT are pretty much Linux, and many manufacturers are not following best practices during development and roll out.

 

Here's a summary of the IOT problem, chosen at random.

 

Microsoft is a $600B company. Let's call them "Big Software." Someone explain to me why they should not be held responsible for the failure of their software to protect the valuable data of their customers.

At least nail them for false advertising. Every new Windows is the "Most Secure Ever," yet year after year the problem only gets worse.

Most of the http traffic on the internet is malicious data generated by malware running on their crapware. I know this because I review my server logs every day.

It is unbelievable their negligent and costly practices are allowed to persist without consequence.

 

My first Linux experience was Suse 8.0 or maybe 9.3, it was over 20 years ago and I forget. Linux was novel and I ran dual boot systems but I still see the same problems with Linux I saw over 20 years ago. This distro and that distro as the users and developers were not working together on a single distro. That sucked. Many European Internet Cafes were going Linux as the cost of Windows plus the heavy taxes made Linux the ideal choice for browsing the Internet but again, as far as productivity outside of Open Office there was not much to be had and most of the productivity software I worked with daily ran on only a Windows platform. Collaboration through multiple secure servers with 25,000 other employees globally using productivity software was not going to happen, not then and not now. Pro-E (Pro-Engineer) being one example and Orcad being another where we had global collaboration. Everything was created for a Microsoft Windows platform. Linux did make some good server side stuff but as far as productivity suits? Open Office in 2002 was like running Microsoft Office 97.

The problem with Linux, despite my dislike of Microsoft, was as I mentioned. A dozen different teams working their own little distros.
List of Linux distributions That alone made Linux a nightmare. So while I despise Windows 10 for example none of my work or productivity software ran on Linux and likely because if the guys developing the software could not settle on a distro of Linux to develop for. If all I wanted and needed was Internet and basic office function software then Linux would be fine but I do not see Redmond becoming a ghost town anytime soon and I have been watching Linux for about 20 years now. Well going back to Windows 95.

Ron

 

Hello,

As @Reloadron sais, there are MANY linux distributions.
A lot of them are derived from large distributions to have specific properties.
I started using linux when there where many virus attacs on WIN98SE.

Here is a site where you can find information on a LOT of linux distributions and news about linux:
http://distrowatch.com/
If you want to try a linux distribution without an installation of it, you can try the live distrubutions from this site:
http://livecdlist.com/

Bertus

 

It is possible to create a bad installation that is easily hacked. And this happens.

In general, Linux distributions are locked down by default, limiting the attack vectors.

The code can be seen by everyone, good and bad alike, unlike Windows. Zero day vulnerabilities are far more likely when the good guys can't see the code.

Kernel & userspace code is updated frequently. There is no expectation of binary compatibility going back years (decades, even), so existing vulnerabilities are easier to fix without affecting user experience.

Services run sandboxed. Hacking a single user or service in Linux does not expose the whole system, and limits the ability of malware to do damage and spread to other systems.

Linux is not a monoculture. There are many variants of the kernel, user space tools, and versions. Successfully infiltrating enough boxes to do significant damage is difficult. Exception: IOT is a huge problem right now. All IOT are pretty much Linux, and many manufacturers are not following best practices during development and roll out.

Most of these comments apply to MacOS X as well, which likewise has a good record. I don't know any Mac user that uses protective software beyond the OS.

 

Most of these comments apply to MacOS X as well, which likewise has a good record. I don't know any Mac user that uses protective software beyond the OS.

I don't like the walled garden approach. Achieving security by limiting the actions of legitimate users seems far too liberal to me.

 

Achieving security by limiting the actions of legitimate users seems far too liberal to me.

And if, in that sentence, one were to change the word "users" to "citizens"... .... I'd rather not get into that in this thread...

 

And if, in that sentence, one were to change the word "users" to "citizens"... .... I'd rather not get into that in this thread...

There is a reason we say Free Software is Free as in Freedom, not as in beer.

 

I don't like the walled garden approach. Achieving security by limiting the actions of legitimate users seems far too liberal to me.

I'll admit to being no OS expert, but as a casual user I don't see how my actions are limited by anything but my own abilities. macOS is "just" a GUI on top of the Unix underneath, which I can access anytime I want. For the most part, I don't want.

 

I'll admit to being no OS expert, but as a casual user I don't see how my actions are limited by anything but my own abilities. macOS is "just" a GUI on top of the Unix underneath, which I can access anytime I want. For the most part, I don't want.

It's modified closed-source BSD UNIX underneath. The license does not require Apple to share their code or modifications, so, therefore, you are limited in what you can do at the kernel (and subsequently, userspace) level, even if you knew how.

They are in full control over what you can do with your hardware.

 

It is possible to create a bad installation that is easily hacked. And this happens.

Yep, I agree. So in fairness to Microsoft, they have recommended that best practise is to disable SMBv1 for at least 6 years now. Also remember that SMB is not a Microsoft only protocols. Linux uses it too, it is called CIFS.

What really gets me going about this is;
1 - What kind of moron has port 445 open to the outside internet?? SMBv1 was never designed for unsecured networks. Remember, it was designed in the early 90's.
2 - Not withstanding the fact SMBv1 should be disabled, Microsoft patched the issue in March. Again, what moron takes 6 weeks to apply critical patches on end user computers?

As much as I hate Microsoft , in this case I am going to defend them. Errors in software will always be a fact of life regardless of platform (heartbleed anyone...). What we need is people that know how to secure networks. This means stopping using useless dimwit from India to manage networks..

Sorry, just had to get that off my chest...

 

Also remember that SMB is not a Microsoft only protocols. Linux uses it too, it is called CIFS.

Ummm...yeah. It's called Samba, and is a GPL'd implementation of Microsoft's (initially IBM's) CIFS/SMB file sharing service. It is not integrated into Linux (unlike Microsoft, it runs as an independent service) and is entirely optional to install and/or run. In fact, I think it is safe to say there is an implementation of (at least nearly) every Windows service available for Linux (and many in Linux that are unavailable to Windows users).

The service does not make an OS insecure. The implementation does. Microsoft has relied on Security Through Obscurity (and paid third-party security suites) for years, and it has bitten them and their users repeatedly (and us non-Windows users via fallout).

Why anyone defends them, I have no freakin' clue. If they manufactured Ford Pintos with the full knowledge they were likely to explode when rear-ended, you guys would be all over them.

 

Hmm, I am not sure, but I think I am been trolled here... Just in case I am not, here is my reply.

unlike Microsoft, it runs as an independent service

Rubbish. In windows the service is called LanmanServer (a throwback from the LAN manager days..) It is just like any other service, it can be stopped, disabled and uninstalled.

The service does not make an OS insecure. The implementation does.

I agree. In this case SMBv1 was known to have this issue. (Not when it was designed, but the issue was documented about 7 years ago). It was not even a bug as such, it was simply written back in the days when networks where isolated. SMBv1, irrespective on what platform, was never meant to be used on the (current)internet.
This is true for Windows, MacOS and Linux. This is true for lots of protocols, SMTP, SNMP or things like DALI. I know this might sounds dumb, but even DNS these days is not really suited to be on the internet hence why we have extensions like DNSSEC. In fact, that is a great example of what I am talking about. BIND has the same issues as windows DNS when it come to things like cache poisoning.
The implementation, however, is not from the point of view of the OS. It depends on the user implementing it. There is NO, I repeat, NO resign to have port 445 open inbound on a production network. Do you have port 22 open on your firewall? Lets hope not. Why not? Because it is not secure. Just good administrative practice.

If they manufactured Ford Pintos with the full knowledge they were likely to explode when rear-ended, you guys would be all over them.

Nice analogy. A car manufacture builds a car with a issue 27 years ago (IBM\Microsoft did not know of the issues back then) because that's how it was done at the time (leaded fuel for example). Finds a issue, releases a patch (or asks people to stop using it), I would say that vendor has done the right thing.
Issues with products are always going to be with us. I will again remind you of heartbleed. That effected Linux in the same way as Windows. SSL is open source too.

This whole issue could of been, no, SHOULD of been fixed when the firewalls where been installed in the company's effected. In fact, I have never seen a firewall that by default allows ANY ports inbound. Someone would of needed to open the port for this to happen.. This would not stop spread from the inside (user opens a email with virus and runs it), but this is where disabling SMBv1 coming in to play. Network admins, unless there is legacy OSs on the network, should have already disabled SMBv1.
The problem here is not with Microsoft or Linux. It is with the managers of these companies not putting effort into IT. Gone are the days of IT just been some department in the basement that makes sure the calculators are working. These days ,ost companies will stop production if IT is effected. If you hire, or outsource, useless people you will get useless results like this.

 

Hmm, I am not sure, but I think I am been trolled here...

No, you are not. In fact, I appreciate your intelligent reply wrt OSs and Windows in particular. I've learned such is not normally to be expected here (knee-jerk reactions are more common).

Nice analogy. A car manufacture builds a car with a issue 27 years ago (IBM\Microsoft did not know of the issues back then) because that's how it was done at the time (leaded fuel for example).

I used this analogy on purpose. Windows was built on a single-user user platform (MSDOS -- a hacked version of CP/M). Multi-user Windows is a kludge. Windows is, and always has been, the Ford Pinto of operating systems.

Long ago, before Linux, there was a joke: if Microsoft manufactured automobiles, they would cost pennies, get 1,000 MPG, go 200 MPH, and blow up once a year killing everyone inside. This is still true.

it was simply written back in the days when networks where isolated.

Come on. Window's had no concept of a network in those days. TCP/IP and WWW caught them completely by surprise. Don't change history. I was there.

 

No, you are not. In fact, I appreciate your intelligent reply wrt OSs and Windows in particular.

Apologies in this case, difficult to tell on the internet.

Windows was built on a single-user user platform

"Was" is the operative word here. Ever since the old NT kernel was rewritten back in Windows 2000 it has been multi session. These days it is (to a point) sandboxed too. We can't talk about old crap like NT and 3.11, it is simply not fair to compare it to these days. Like comparing the Model T to a moden car.

Come on. Window's had no concept of a network in those days.

TCP\IP stack was available to windows in the late 1980's. SMB was released a few years after. Windows also had IPX support as far back as Windows 2.0 (built by Novell).

WWW caught them completely by surprise

100% correct and I agree with you. MS, like a lot of companies, did not see the importance of the internet until it was too late and companies like Netscape and Novell had the market.

Don't change history. I was there.

So was I . When I type things like Novell I feel so old....

 

TCP\IP stack was available to windows in the late 1980's.

Sorry, Windows 3.1 wasn't available till '92, and even then TCP/IP was only available as a 3rd party winsock.

The ability to network does not make for a networked OS.

 

When I type things like Novell I feel so old....

See: my avatar...

 

I was there too. I remember when I installed a Mac network in our new labs and office and chose to get us a good laserwriter printer to share. The Windows (and DOS) people were just blown away and kept asking for their own printers. The notion you could print and share files over a network was just not something they could imagine.

Then, one day, I was once the first person the building to get on the internet. I spent quite a while getting the software, getting all the network settings right and so on, and then finally there I was, on the www. After just a few minutes, I can remember thinking, "What now?" There were just a few companies to look at, car companies I seem to recall, and very little useful information. Patents and journals weren't digital yet. No news outlets. No Google. Compared to now, it was like a bombed out city.