Some security questions

Hi all!

I am a person with an interest in cyber security. I am not sure what section this would go best in so sorry if where ever it ends up isn’t correct.

I’ve been reading up on cyber security recently and I’ve come across some criticism of Linux Desktop operating systems as being very lacking in various areas and I was wondering if perhaps someone could enlighten me on the validity of these criticism? I am not interested in debating operating systems. I am a linux fan, I will always be a linux fan, and honestly if I were a betting person my money would be on the weakest security aspect of (almost) any computing experience would exist between the chair and keyboard. That said, I would at least like to be aware if these criticisms are reasonable or if these claims are being made in bad faith.

The first claim is that sandboxing on linux is either non-existent or weak enough that it may as well be non-existent. It compares linux to the sandboxing on Win10, Mac, and ChromeOS.

The second claim is that linux has near zero exploit mitigations compared to, “any other modern OS.” On a personal note, I feel like there is a significant bias here, because it credits Windows and Mac to, “Moving toward memory safe languages” while noting they are still “mostly written in memory unsafe languages.” Then criticizes linux because, “enabling rust does not imply it will be used.” This stinks of a double standard to me.
-It does go on to discuss some level of specifics and makes the claim that Windows and Mac have better protection against a buffer overflow attack through use of arbitrary code guard and hardened runtime. I feel like this is more factually based

The third claim is that the linux kernel itself is lacking in security. It claims there is a colossal amount of code all running within the most privileged areas of the operating system. It claims linux implementation of new features worsens an already large attack surface.

In fact, there are so many bugs being found in the kernel, developers can’t keep up, which results in many of the bugs staying unfixed for a long time. The kernel is decades behind in exploit mitigations, and many kernel developers simply do not care enough.

Are these fair and reasonable criticisms of linux security issues? At least one article doesn’t out right say it, but it at least heavily seems to imply that security is nearly a lost cause on linux because the level of things needed to do to secure linux would break all compatibility with the current linux ecosystem.

I am solely asking out of what I would describe as a ‘professional interest.’ As I said at the top, were I a betting person, I’d wager the biggest security risk is between the chair and keyboard for most mainstream operating systems, still I would like to try and maintain a reasonable awareness of what is going on under the hood as much as I can.

Welcome to the community!

Two things:

1. It would be better to actually post the link to the source of said criticisms
2. These criticisms only hold weight because Linux isn’t a trillion-dollar company

Let others be able to read the full scope of criticisms. And in this world, money moves mountains when it comes to software/hardware development.

I don’t know what you read since you didn’t link so I can say that Linux is lightyears ahead of security than both Windows or Mac. This sounds like an article from a Windows fan boy.

You should probably link to the article in question to really give us an idea of what is being said. You have already answered your on questions when it comes to certain sections such as the memory safe language stuff, so I won’t address those.

To my knowledge neither windows nor linux does sandboxing out of the box for most software. Only snaps on Ubuntu and flatpaks have any semblance of it. Not counting tools such as apparmor and selinux. I don’t know enough about macOS to address it.

You must excuse my ignorance since I don’t work this low level, but I don’t see how either of these things protects against a buffer overflow. A buffer overflow is a specific programming error that can occur in almost any peace of software that doesn’t account for it. So I’m curious to know in what circumstances does Windows and Mac protect against this? Is the author specifically referencing at the kernel level?

This particular argument is the one that I find disingenuous. It reminds me of some of the early 2000’s smear campaigns against open source software. The linux kernel is a colossal piece of software used for many different things by many different companies. Of course there are more issuses. Furthermore the open source nature means that issues are found by far more people.

How can the author claim that one thing is lacking in security compared to a thing that you can not see? Does the author of the article work at Microsoft. Does the author have insider knowledge of the proprietary code at Apple or Microsoft? If not then for all we know the kernel may have less issues than those platforms. Despite being more widely used.

As you said, most probable risk is between chair and desktop. In my opinion when you understand this there are not that many security issues which you should be concerned. At least now.

However I think that it is good to acknowledge that there are issues; they are usually addressed pretty fast but some have taken time to be addressed.

Usually exploitation requires root access so you should be careful on granting that.

I’m no security expert however and could be wrong.

Welcome to the Purple Family, @HausMaus.

• Indeed, a link to the source from which you quote would be helpful.

I’m no security expert, Linux or otherwise. Generally speaking, I can say that on a personal level as an intermediate Linux user for 25+ years, security has never been a concern. Anecdotally, my usage of Linux distros over the years have been completely free of security issues.

Again, I’m no security expert. But I do follow such things. And the code within the Linux kernel has doubled in size over the last 10 years, growing to more than 40 million lines of code. Does that make the Linux kernel subject to security threats greater than Windows or MacOS? I honestly don’t know.

Frankly, this smells like a troll post too. You aren’t interested debating operating systems, yet you post this on a Linux forum. You’re either in on it with the author of this “article”, you are the author of this article and you post it here for validation or to troll or you really are completely clueless and you came here in search of an answer. To tell you quite frankly, I don’t believe you’re clueless, but I will give you the benefit of the doubt.

The claims make so little sense that they’re down enraging. ChromeOS IS LINUX! It is literally a Google search away. The second claim is even more wrong and completely misunderstands two extremely crucial pieces of information:

1. Linux is the preferred enterprise operating system for server work
2. Linux’s development is open source, so any developer will and can submit patches to security holes they find and these things aren’t taken lightly

First thank you!

Posting the link is a fair point. I was posting at like 2AM my time which was pretty far after my bed time so I wasn’t in a “best practices” mindset.

I generally agree from a resource point of view. Having a mountain of money means you can invest it and have options that just aren’t possible otherwise.

The developer claims to be a FOSS developer exploring their github. Here is the article in question I will be the first to say even if they aren’t a windows fan boy people still have a major propensity to favor what ever their favorite flavor is over all others.

It is fair to link the article. As I said to another user, I was up past my bed time so I certainly wasn’t thinking clearly.

According to the article, windows works to ensure that memory that is writeable isn’t executable and memory that is executable isn’t simultaneously writable. This would prevent code from executing in memory accord to them. Mac to my understanding uses their own memory segmentation(I am probably using the wrong term there) to help guard against it as well.

If you hit “back” on the page I linked, they claim to be a FOSS developer for a privacy focused FOSS solution.

I am far from an expert, though I hope to be one some day. Not sure if I ever make it there I’ll even realize I am there given how complex computer systems are.

I am pretty sure at least once a day when I run yay -Syu there is no lack of packages being updated for a huge slew of reasons. I generally have been of the belief that no small part of that is security updates.

I do want to maintain a realistic mindset and be aware of what is going on under the hood to the best of my abilities and practical limitations.

I would not rely on just one source. This article is from 2022. There should be other articles with similar findings from other sources if the findings in this article are true.

Also, the author says that he is “a security researcher who works on various open source projects,”. If you look on github you see that his last commits to any open source project are from March 2022. He has not contributed anything after that date. Looks like he stopped contributing after he published his article.

Thank you!

That’s a very fair request. My sincere apologies I didn’t include it originally.

To be honest most of my life I’ve kinda assumed linux was the best security option in many respects. Even reading these criticism, I still have some level of belief linux is better than the alternatives in a lot of ways.

That is impressive! It looks like according to your article part of the growth of the code is hardware compatibility.

I’ve already linked the article a few times… buut

Coping? Yeah I am coping. What I am coping with has nothing to do with linux or cyber security but if thinking about cyber security keeps my mental health in check and I’m not obsessing over other issues, then I’ll obsess my autistic heart out.

Like I said from the first post twice, I have yet to see a compelling argument the biggest weakness in a linux desktop computing experience doesn’t exist between the keyboard and chair.

It’s that simple.

Well, this thread devolved into ridiculous chaos.

Why so many flagged posts???

I have kept the topic solely to cyber security in any meaningful way I can. I am posting on a linux forum because I assume that’s where people knowledgable about linux will be. I am posting to endeavor forums specifically because it’s been my favorite flavor for years.

I am completely clueless. I’ll be honest there. Cyber security is an incredibly complex topic. Computers are incredibly complex topics. Given the sheer depth and breadth of the subject, I feel like even very knowledgable people can be largely clueless about things just outside their area of expertise.

If I wasn’t confused, I wouldn’t be here. It can be exceptionally difficult to tell if something doens’t make sense because it’s wrong/gaslighting/whatever else or if I simply have almost none of the knowledge needed to evaluate it.

Look, it’s not the best comparison, but just on an unrelated example: Encryption. I “understand” encryption conceptually. You edit data/information in such a way that it can’t be understood by any party that doesn’t have the proper knowledge to decrypt it.

I know there are many encryption standards and they offer varying levels of protection. I have more than one learning disability and I am bad at math. I am not, and will never be able to test out advanced cryptography because that is a subject I assume I will never have a good enough grasp of to understand. I do however, know that whatever math nerd (use this term endearingly) comes up with an encryption algorithm it can be evaluated by other math nerds and a consensus can be formed. I’ll never possess that first hand knowledge of advanced math, but I will posses the knowledge to seek out people who can validate those claims or not.

That’s why I am here, that’s the beginning and end of it.

I would argue the fact that I am here asking questions means I am using more than one source, or at least looking for more than one source. I am not presenting any of these arguments authoritatively as true. This might not have been the best place to ask, but it made as much sense to my sleep addled brain as anywhere else.

I would say that only by reading one specific article it is impossible to discuss “security questions” in general. ?

Go do some research on the items the article is talking about first, would be my suggestion.

After this you will be able to start a meaningful discussion.

keep it civil please.

System does that as of new user start posting many posts fast and linking to the same website many times.