I don’t want to sound dismissive, this is a genuine question and not an attack on Linux.
Other than security by obscurity, how is it possible that an operating system whose entire source code is available to hackers to peruse at will could be more secure than a closed source one?
Security by obscurity doesn’t work. Microsoft software has always been closed source and it has never prevented hackers making exploits.
Open source software allows hundreds of thousands of people to comb over the code and find/fix vulnerabilities much easier.
It’s also true that because of the way Linux is developed, security flaws in Linux are patched much faster than in other projects, with Linux patching issues in an average of 25 days compared to Microsoft’s 83 days. And the gap is widening, recently Linux has got that down to 15 days.
There’s a reason companies go with Linux for servers that handle sensitive information or are business-critical. And there’s a reason why the best encryption algorithms are all open source.
Because if a vuln gets found or exploited, it gets immediately patched, often with some big backing by OEMs that run on Linux.
Open source also reduces the likelihood of exploitable bugs going unnoticed because everyone can see and play with the source code by themselves.
There is a risk of malicious merge requests, but so far that hasn’t been a problem besides a university getting banned for pointing out the issue with a live test without telling the devs.
Much of linux is also designed to be hardened by default because it’s used on so much infara. SELinux by itself is a great example because it was essentially created by RedHat and now is a major standard for MAC.
Windows on the other hand needs Microsoft alone to solve the problem. No one can patch it themselves, and there’s no guarantee the patches will work, which has happened several times. I believe print spooler basically had to be disabled because there was no good solution due to implementation.
The amount of Windows OS specific exploits vs Linux specific exploits kind of shows the results of closed source vs open source.
The worst vuln I can think of for Linux is dirty cow which is a local priv esc on basically Linux kernels 2.x-4.x which was a big deal when it was discovered because of the range of versions
Meanwhile windows had eternal blue, a whole remote code execution that existed on every version of windows since win95 that the NSA kept for probably a decade before it was leaked.
Imagine for a moment that the business world transitioned to Linux, and now there’s enormous incentive for all adversaries from state sponsored to financially motivated criminals to spend all their time hunting through linux source code.
Do you think the ideas above stand up? (I’m not saying they dont)
Would linux vulnerabilities be found at a higher rate? I wonder if they aren’t now because there aren’t as many eyes on them. Sure there’s corporate side project efforts and volunteers, just curious how that stacks up against the amount of research happening to break Windows systems.
NSA would definitely want to keep some linux exploits around if their adversaries were using linux instead of windows. I think the result would be the same regarding eternal blue.
The point is, they already did. 99% of webservers run Linux. They are all out in the open and hackers love to get their hand on them as they are likely to have mailservers on them and they have a public IP so they can always be reached.
And most of them do not get hacked. And those that do mostly get hacked due to bad passwords or bad website code. I administer one and see the thousands of attacks running up against it daily (most are just attempts to log in with basic credentials). And of course I see the daily influx of updates from Linux.
If a new security flaw is seen, its often quite difficult to use. And with Linux somebody makes a patch before simple tool for hackers are out.
With Microsoft products you wait till the next patch day, in the best case critical exploited bugs are patched in days.
Also security flaws in closed source products are often easier to exploit and tools to use them are available fast. (Such flaws are often already discovered in open source products by third eyes and testers before they make it to production systems.)
Of course there are exceptions to the rule, like heartbleed. This was an easy to exploit flaw in an often used Linux service and it caused a big turmoil because many where to slow to patch their systems.
Also of course if Linux gets more popular on the desktop more software will be an attractive target for malicious actors and some software may get popular before many people take a look at the source code. But the situation will still be much better compared to closed source systems.
(Also of course more closed source software will be made for Linux then)
Linux is already used everywhere, from servers to satellites to phones to infrastructure. There’s already a huge incentive to find exploits, moreso than Windows devices.
I do think more desktop-oriented exploits would be found if more people used Linux desktop, but I think that’s more down to distro fragmentation and not every distro maker being as competent as others, or not having the manpower to keep up with development, as opposed to there intrinsically being danger in people seeing source code.
NSA would definitely want to keep some linux exploits around
And they’d be spotted in the source code and patched. If the code is proprietary, you can never trust that there aren’t backdoors.
Linux is currently having parts of the kernel rewritten in memory safe languages like Rust, eliminating entire classes of exploits. Wayland is being developed with a far more secure architecture than the old X.org window manager. One important reason why they can do this is because the whole industry follows and stuff like drivers can be updated at the same time to keep everything working, and it doesn’t even need to be the original developer patching it.
Microsoft’s opacity makes it near impossible for them to do the same thing, so much of their security improvements are essentially hacked in on top of old code to not break compatibility. Instead of eliminating bug classes they rely on tons of techniques to make them harder to exploit instead - yet not impossible.
If that happeninux will also recieve more contributions and donations from that structers also linux devs also doesn’t have to worry about building blobs, ads, tracking, making UI prettierso they can worry about real stuff and aolve those issues . The security of linux isn’t because of the low amount of users its simply because it is what it is an OS build and used by nerds who whether you like it or not are some of the most tech savy people you can find and they have their heart in it because they are not doing it for corpos or salary . Also linux is the OS used by most (and best ) hackers and proggrammers and often recieve contributions from (only sometimes from the hackers but as the linux users are naturally paranoid they often review code and PR for vulnabilities instead of the need to add extra features cause jomo)
I proggram for hobby and i am really really bad at it like if a legitamate programmer sees my life’s work in it they will beat me to death with bare hands bad . And the grammer and spellings is because english isn’ty first language.
Because many eyes are there watching it. While not everyone is an active kernel hacker, many parties have an active interest in certain aspects of the kernel, and watch source code and patches closely.
Yup. E.g. years ago Huawei tried to merge something in the kernel that had a glaring security hole, many speculated that it was a deliberate attempt to add an exploit to the kernel.
It was immediately spotted before it even got close to being merged, and of course it got rejected.
The likes of Google, Microsoft, RedHat/IBM, Intel, AMD, Chronos group, etc are always investigating what other companies are trying to implement into the kernel. They obviously won’t stand for any dodgy stuff from another company being injected into the kernel.
Everything is highly scrutinised, not just by the kernel maintainers, but also by the contributors.
Linux anyone ?
I don’t want to sound dismissive, this is a genuine question and not an attack on Linux.
Other than security by obscurity, how is it possible that an operating system whose entire source code is available to hackers to peruse at will could be more secure than a closed source one?
Security by obscurity doesn’t work. Microsoft software has always been closed source and it has never prevented hackers making exploits.
Open source software allows hundreds of thousands of people to comb over the code and find/fix vulnerabilities much easier.
It’s also true that because of the way Linux is developed, security flaws in Linux are patched much faster than in other projects, with Linux patching issues in an average of 25 days compared to Microsoft’s 83 days. And the gap is widening, recently Linux has got that down to 15 days.
There’s a reason companies go with Linux for servers that handle sensitive information or are business-critical. And there’s a reason why the best encryption algorithms are all open source.
Code being in the open allows the whole world to participate and fix the problems quicker than closed source binary.
Because if a vuln gets found or exploited, it gets immediately patched, often with some big backing by OEMs that run on Linux.
Open source also reduces the likelihood of exploitable bugs going unnoticed because everyone can see and play with the source code by themselves.
There is a risk of malicious merge requests, but so far that hasn’t been a problem besides a university getting banned for pointing out the issue with a live test without telling the devs.
Much of linux is also designed to be hardened by default because it’s used on so much infara. SELinux by itself is a great example because it was essentially created by RedHat and now is a major standard for MAC.
Windows on the other hand needs Microsoft alone to solve the problem. No one can patch it themselves, and there’s no guarantee the patches will work, which has happened several times. I believe print spooler basically had to be disabled because there was no good solution due to implementation.
The amount of Windows OS specific exploits vs Linux specific exploits kind of shows the results of closed source vs open source.
The worst vuln I can think of for Linux is dirty cow which is a local priv esc on basically Linux kernels 2.x-4.x which was a big deal when it was discovered because of the range of versions
Meanwhile windows had eternal blue, a whole remote code execution that existed on every version of windows since win95 that the NSA kept for probably a decade before it was leaked.
Imagine for a moment that the business world transitioned to Linux, and now there’s enormous incentive for all adversaries from state sponsored to financially motivated criminals to spend all their time hunting through linux source code.
Do you think the ideas above stand up? (I’m not saying they dont)
Would linux vulnerabilities be found at a higher rate? I wonder if they aren’t now because there aren’t as many eyes on them. Sure there’s corporate side project efforts and volunteers, just curious how that stacks up against the amount of research happening to break Windows systems.
NSA would definitely want to keep some linux exploits around if their adversaries were using linux instead of windows. I think the result would be the same regarding eternal blue.
The point is, they already did. 99% of webservers run Linux. They are all out in the open and hackers love to get their hand on them as they are likely to have mailservers on them and they have a public IP so they can always be reached.
And most of them do not get hacked. And those that do mostly get hacked due to bad passwords or bad website code. I administer one and see the thousands of attacks running up against it daily (most are just attempts to log in with basic credentials). And of course I see the daily influx of updates from Linux.
If a new security flaw is seen, its often quite difficult to use. And with Linux somebody makes a patch before simple tool for hackers are out. With Microsoft products you wait till the next patch day, in the best case critical exploited bugs are patched in days. Also security flaws in closed source products are often easier to exploit and tools to use them are available fast. (Such flaws are often already discovered in open source products by third eyes and testers before they make it to production systems.)
Of course there are exceptions to the rule, like heartbleed. This was an easy to exploit flaw in an often used Linux service and it caused a big turmoil because many where to slow to patch their systems.
Also of course if Linux gets more popular on the desktop more software will be an attractive target for malicious actors and some software may get popular before many people take a look at the source code. But the situation will still be much better compared to closed source systems.
(Also of course more closed source software will be made for Linux then)
Linux is already used everywhere, from servers to satellites to phones to infrastructure. There’s already a huge incentive to find exploits, moreso than Windows devices.
I do think more desktop-oriented exploits would be found if more people used Linux desktop, but I think that’s more down to distro fragmentation and not every distro maker being as competent as others, or not having the manpower to keep up with development, as opposed to there intrinsically being danger in people seeing source code.
And they’d be spotted in the source code and patched. If the code is proprietary, you can never trust that there aren’t backdoors.
Linux is currently having parts of the kernel rewritten in memory safe languages like Rust, eliminating entire classes of exploits. Wayland is being developed with a far more secure architecture than the old X.org window manager. One important reason why they can do this is because the whole industry follows and stuff like drivers can be updated at the same time to keep everything working, and it doesn’t even need to be the original developer patching it.
Microsoft’s opacity makes it near impossible for them to do the same thing, so much of their security improvements are essentially hacked in on top of old code to not break compatibility. Instead of eliminating bug classes they rely on tons of techniques to make them harder to exploit instead - yet not impossible.
If that happeninux will also recieve more contributions and donations from that structers also linux devs also doesn’t have to worry about building blobs, ads, tracking, making UI prettierso they can worry about real stuff and aolve those issues . The security of linux isn’t because of the low amount of users its simply because it is what it is an OS build and used by nerds who whether you like it or not are some of the most tech savy people you can find and they have their heart in it because they are not doing it for corpos or salary . Also linux is the OS used by most (and best ) hackers and proggrammers and often recieve contributions from (only sometimes from the hackers but as the linux users are naturally paranoid they often review code and PR for vulnabilities instead of the need to add extra features cause jomo)
Also spelling, grammer etc.
There is a great t-shirt that says:
I’m a programarI’m a programmarI’m a programerI write code
I love this shirt. So many programmers are awful at spelling. I do not, personally, suffer this malady, so I don’t own the shirt, but I still love it.
Um actually it’s spelled m’lady. /s
Perfektion
I proggram for hobby and i am really really bad at it like if a legitamate programmer sees my life’s work in it they will beat me to death with bare hands bad . And the grammer and spellings is because english isn’ty first language.
Governments of Russia China India use Linux, nsa definitely keeping exploits active to keep tabs
Closed source doesn’t prevent people from reverse engineering it to find exploits, it just makes it harder for others to contribute to fixing it
Because many eyes are there watching it. While not everyone is an active kernel hacker, many parties have an active interest in certain aspects of the kernel, and watch source code and patches closely.
Yup. E.g. years ago Huawei tried to merge something in the kernel that had a glaring security hole, many speculated that it was a deliberate attempt to add an exploit to the kernel.
It was immediately spotted before it even got close to being merged, and of course it got rejected.
The likes of Google, Microsoft, RedHat/IBM, Intel, AMD, Chronos group, etc are always investigating what other companies are trying to implement into the kernel. They obviously won’t stand for any dodgy stuff from another company being injected into the kernel.
Everything is highly scrutinised, not just by the kernel maintainers, but also by the contributors.
ReactOS FTW.