When Betting on Linux Security, Look at the Big Picture

Recently, an article crossed my path that made me smile. There’s not much in tech these days that does that, so I took a moment to savor this rare sensation.

The piece by Jack Wallen on ZDNet pitched Linux as a refuge from the desktop OS security pitfalls of its competitors. I’ve held this viewpoint for a while. What impressed me about the article, though, is that the author bothered to make the sell to an audience of mostly non-Linux-using consumer tech readers.

As pro-Linux desktop arguments go, the author’s was easily comprehensible to neophytes. Beautiful. But if there was any shortcoming worth noting, it is that in places, it was a bit too light on detail for an article that, in the best case, is guiding users toward the serious undertaking of wiping their machine’s factory OS to install a new one that is handed out for free on the internet.

I’m hoping a follow-up piece is in the works for those whose excitement generated by the initial article needs a bit of direction. But unless and until the sequel debuts, I wanted to start a dialog by offering a few points.

Knowing the Risks Is Good. Laying Them All Out Is Even Better.

The author starts out by pointing out the dangers of using Windows based on how commonly attackers target it. Allow me to cite some data to underscore that point.

In no time flat, a web search shows that Windows is not only the operating system impacted most by malware overall but also the top target of ransomware.

When you think about it, Windows’ popularity as a hacker’s punching bag is natural. Most enterprise workstations are Windows by a wide margin. Today’s attackers are primarily motivated by money. Where do you think one would find more valuable data? On an employee’s Windows desktop or a random personal computer?

Windows is my favorite verbal punching bag, too. Since I believe in fighting fair, as I did for Windows, I insist on evaluating Linux on the evidence.

Linux desktop security statistics are hard to come by. With an ecosystem of hundreds of distributions, this is no surprise. So, to assess Linux’s security, we will have to interrogate the statistics a bit.

Looking at “Linux” on the whole, there’s enough Linux malware out there to put it second to Windows, albeit distantly.

We don’t get the whole story without context, though. Linux is deployed more widely than any other OS even if, as the above dataset does, Android is broken out into a separate category. Each type of Linux deployment presents a very different vulnerability profile.

Consider IoT Vulnerabilities

With as many conference talks, white papers, and vulnerability disclosures as there are from industry experts all indicating the unique security shortcomings of Internet of Things (IoT) devices, it seems likely to me that much Linux malware falls into this category.

IoT devices do not require users to log in, so there is no active user noticing the kind of suspicious behavior that signals the presence of malware. Oh, but the login is there, and users almost never change it from the stock password. IoT devices also get infrequent, if any, updates, and when (if) they do, it could require flashing the firmware to the device.

Do you remember the last time you flashed your router firmware? Exactly. Moreover, if that isn’t enough to put IoT Linux in the crosshairs, these devices are on and networked all the time. What could be better for inclusion in a botnet or bouncing traffic to and from hacker command and control servers?

Linux Servers, Not Desktops, Are Prime Targets

Furthermore, my educated guess is that many attacks on Linux hit server Linux. Even if we assume that server, IoT, and desktop Linux devices are all targeted at the same rates (percentage of machines attacked out of all possible targets of that type), there are simply more Linux servers than Linux desktops by an enormous margin.

Although many Linux servers these days reside in the cloud and, as a result, often receive a lot of automatic management that shores up their defenses, e.g., auto-updates, they still draw fire because of what lucrative targets they are. There is also a wider variety of software that potentially runs on Linux servers.

If we presume that all software types are equally vulnerable, because there is a larger number of distinct programs deployed on Linux servers than on desktops, there is a higher chance that there is a hackable server somewhere. There are web servers, DNS servers, VPN servers, file servers, and many more, each with multiple software vendor options. That’s a lot of room for attackers to work with.

All of these considerations are to say that desktop Linux remains the least appealing target for a hacker looking to score easy cash (or take steps in that direction). Desktop Linux has the smallest desktop user base by far. Actually, it’s the smallest user base of all desktop and mobile platforms and all Linux installation types.

Attackers value their time like anyone else. Therefore, they tend to write exploits targeting the largest pool of potential victims. Desktop Linux is nowhere near that, and unless there is a significant shakeup in the desktop computing landscape, it probably never will be — which, from a security perspective, is an asset.

Let’s Get Zoological With This Penguin

I want to put some of the Linux security praise from the ZDNet piece under the microscope. For the record, I think most of it is fair, but it’s good practice to check the foundation of each claim.

That piece noted that Linux permissions are “sane.” I’m not sure I agree this is true to the extent that I’m not sure what the author means by sane. If he’s talking about how root is more segmented off from normal users than Administrator is in Windows, then I’d concur.

In Windows, it is dangerously easy to right-click on an app and run it as Administrator. With macOS and Linux, upping the execution privilege level is not so simple and thoughtless. Instead, you have to pull up a terminal and run the program with sudo. 

But all this really says is that Unix-style permissions are sane. That checks out, but in fairness, macOS has such permissions, too. At this point, assessing sanity comes down to how macOS and Linux desktops set up default file and directory permissions. But this varies so much by Linux distro that comparisons get dicey.

Our penguin-loving friend also extols Linux for its use of repos over the Windows approach of allowing software installation from any “.exe” file. It’s true that most Linux desktop distributions steer you toward their repo. But to be upfront, macOS is much more locked down on software than Linux.

Really, Linux lies somewhere between macOS and Windows: most software comes from the repo, but there are still programs distributed as third-party .deb or AppImage downloads.

Then again, macOS can lock down its ecosystem. Apple, with its proprietary ownership over macOS, is positioned to restrict its software uninhibited. Establishing a walled garden (like Apple’s App Store) for the Linux desktop is impossible because Linux is open-source. If one distro closed its borders, users could seek refuge with another distro and go on installing any software they pleased.

Linux, as both of us now point out, is definitely open-source. I agree that this is a strong point in favor of Linux’s security, too, as it lets independent experts analyze it. But just because they can doesn’t mean they do.

Before you go burning a Linux ISO onto your USB, just know that the “Linux” most security professionals review is server Linux. Far fewer of them scour Linux desktops and apps for exploitable bugs.

A Balanced View of OS Updates

In one last analysis of Jack Wallen’s highly commendable ZDNet piece, I’d like to address a statement made by the author. They stated that desktop Linux gets updated “regularly,” which is true and perhaps intended to assuage skeptical prospective users. However, in today’s context, this regularity of updates is not unique to Linux; it’s equally true for macOS and Windows.

Linux desktops, not being a monolith, get updates from constantly to weekly to whenever. You have to do your homework and know your preferences (newcomers: I strongly advise you not to opt for Arch Linux, much as I love it).

But I get where my colleague is coming from, so I’ll solidify his argument by changing tack. If users are willing to reinstall every few years, Linux offers indefinite security. Even among information security-conscious users, it is still commonplace to continue using one’s phone or computer past its security update end of life.

I sympathize with not wanting to shell out hundreds of dollars because your device’s OS developers no longer feel like pushing updates. With Linux, you can just install the new major release and get 4 to 5 more years of support. When that runs out, do it again.

Adopt a Penguin Today

Just like owning a pet, computer ownership is a serious responsibility. Any prospective Linux user should have the excitement that the original piece’s author so effortlessly evokes. As long as it’s paired with a sober appreciation for exactly what Linux usage entails, you have everything you need to give a penguin a happy home on your desktop.