Is Linux secure or insecure?

[Akram F. Sulaiman]

When I teach Linux+ course to students, I normally start stating that one of the pros of Linux is that it is open source and secure.

Immediately many students start wondering and asking me the following question.

"If Linux is open source software, which means that all its source code is available on the internet, this means that all the bad guys (crackers) over there on the internet can see its inner code and may discover any weaknesses on the OS's code and exploit that weakness for their benefits. Then how you are telling us that Linux is a secure OS?"

Can you please help me on how to reply to their worries and answer this viable question? Any hints?

Million Thanks

 

[Lee McWhorter]

Because the idea is that the community will find and fix bugs first, as opposed to closed code where only the company's devs can do it.

 

[Rick Butler]

"If Linux is open source software, which means that all its source code is available on the internet, this means that all the bad guys (crackers) over there on the internet can see its inner code and may discover any weaknesses on the OS's code and exploit that weakness for their benefits. Then how you are telling us that Linux is a secure OS?"

This is an interesting question - pretty common one in the line in teaching security. But I find that last question is something of a hasty generalization fallacy. Just because people can find new an interesting exploits to a system doesn't mean it's not a secure OS. Any lock can be picked or broken with sufficient will, time, and resources.

If they want a classic answer, assign your students to read Sun Tzu's Art of War as a reading assignment.

There are four security principles that come into play that I've taught in classes before:

1) Security through Obscurity is not Security at all
2) Open Disclosure is Good for Security
3) There is no such thing as absolute security; there are no silver bullets.
4) Security is a function of proper risk management.

I would start also with the opposite question - Microsoft Windows Server is a closed source operating system. But yet, it has been the target of many attacks. So being open or closed really isn't going to come into play - everyone is a target - MSFT, Linux, Apple...all of them are targets.

Next, I would raise the point that while exploits of code are why systems end up compromised, compromises are far more the case through the user. So it really doesn't matter what OS it is - if I can beat the user, the system security is irrelevant, in the long run.

Then, going back to my two points, yes, the bad guys are going to pour over OS code looking for holes. Doesn't matter if it's Linux or something else - never underestimate a properly motivated attacker. But when code is open, it also gets the good guys seeing it too. Now zero-day threats are a real thing and always will be, regardless of system. When a Zero Day comes out, regardless of OS, there are firms all over it, working up a patch.

Interestingly, in February, Google announced bigger bug bounties for exploits to Linux and Kubernetes. So in that, our attackers are now more apt to pen-test for the payoff, rather than to attack others. Threats are out there still. As a matter of fact, this week marked a year since I got to come toe-to-toe with the Kasaya ransomware hack from Russian group REvil.

In short, it's a cat and mouse game. Build a better mousetrap, get better mice. It's a revolving process. The cost, though, as we all know...

...is constant vigilance.

Close the discussion with a challenge - are you willing to stand in the gap and defend your network?

Because that's what it takes.

/r

 

[Bob Armstead]

Linux is secure. The security comes from the fact that the entire community oversees its development and maintenance. With the entire community involved it is considered safe to use. Another aspect to consider is that because of how it operates, it becomes somewhat secure because of a lesser form of familiarity.

Lee McWhorter would definitely be able to give a better reason than I just have but I do believe I covered the gist of it. He is teaching the TTT for Linux+ on Monday.

 

[Akram F. Sulaiman]

This is an interesting question - pretty common one in the line in teaching security. But I find that last question is something of a hasty generalization fallacy. Just because people can find new an interesting exploits to a system doesn't mean it's not a secure OS. Any lock can be picked or broken with sufficient will, time, and resources.

If they want a classic answer, assign your students to read Sun Tzu's Art of War as a reading assignment.

There are four security principles that come into play that I've taught in classes before:

1) Security through Obscurity is not Security at all
2) Open Disclosure is Good for Security
3) There is no such thing as absolute security; there are no silver bullets.
4) Security is a function of proper risk management.

I would start also with the opposite question - Microsoft Windows Server is a closed source operating system. But yet, it has been the target of many attacks. So being open or closed really isn't going to come into play - everyone is a target - MSFT, Linux, Apple...all of them are targets.

Next, I would raise the point that while exploits of code are why systems end up compromised, compromises are far more the case through the user. So it really doesn't matter what OS it is - if I can beat the user, the system security is irrelevant, in the long run.

Then, going back to my two points, yes, the bad guys are going to pour over OS code looking for holes. Doesn't matter if it's Linux or something else - never underestimate a properly motivated attacker. But when code is open, it also gets the good guys seeing it too. Now zero-day threats are a real thing and always will be, regardless of system. When a Zero Day comes out, regardless of OS, there are firms all over it, working up a patch.

Interestingly, in February, Google announced bigger bug bounties for exploits to Linux and Kubernetes. So in that, our attackers are now more apt to pen-test for the payoff, rather than to attack others. Threats are out there still. As a matter of fact, this week marked a year since I got to come toe-to-toe with the Kasaya ransomware hack from Russian group REvil.

In short, it's a cat and mouse game. Build a better mousetrap, get better mice. It's a revolving process. The cost, though, as we all know...

...is constant vigilance.

Close the discussion with a challenge - are you willing to stand in the gap and defend your network?

Because that's what it takes.

/r

Dear Rick A. Butler Let salute you for your swift and awesome and comprehensive answer to my query. All the points that you have listed solidly rocked to my head and definitely will help me and all other respected trainers when they face such a question from the students. All the points you mentioned are clear, logic and to the point. Million thanks for your valuable information and thoughts.

 

[jasoneckert]

While it is arguably true that most - if not all - open source software is more secure than closed-source software via community contribution, security itself is never guaranteed and largely depends on how software and systems are implemented.

Some Linux distributions are reasonably secure out-of-the-box because the distribution maintainers chose to provide a default set of configuration options and technologies (e.g., SELinux, strict PAM/Systemd rules, firewall enabled by default, etc.). However, the user can still choose to install that Linux distribution on a system without a trusted boot chain and without LUKS-encrypted volumes, as well as configure it in a way that accesses other systems insecurely.

Even then, nothing is remotely close to 100% secure, which is why those working in Cybersecurity have to have a sense of humour.

So, perhaps a better way to answer that question is to compare secure out-of-the-box Linux distributions (like Fedora) to macOS, BSD and Windows.

• On M1 hardware, macOS is arguably just as secure as that Fedora Linux distribution because of the strict enforcement of System Integrity Protection (SIP) alongside the total isolation of system folders from the userspace.
• On a system with a TPM, both Windows 10 and 11 are also arguably just as secure if you enable hardware-assisted security (anomaly detection), protected folders (anti-ransomware), and core isolation (process isolation) within the settings of Windows Defender, since only Defender antivirus is fully enabled by default.
• BSD UNIX flavours (e.g. FreeBSD) contain equivalent security technologies as Linux, but almost always need to be manually configured (there is no out-of-the-box secure BSD flavour to my knowledge). But this is less of a concern since BSD is only used by power users who will likely configure those security features anyways.

Moreover, most Windows and macOS components/frameworks that are the target of CVEs are actually open source, so they benefit from the open source community releasing rapid updates. And with the rise of Cybersecurity focus in recent years, the remaining few proprietary components are often fixed quickly by Microsoft and Apple (the amount of open source components with a permissive MIT license in Windows and macOS is staggeringly high!).

So, I guess you could say that "Today, certain Linux distributions are secure out-of-the-box, but not dramatically more secure than macOS or Windows or even a well-configured BSD system. The most secure computer you'll find today is a Commodore 64."

 

[jasoneckert]

I'd like to introduce you to OpenBSD, an out-of-the-box secure BSD.

OMG - how could I have forgotten OpenBSD?!? I should have known that

 

[Akram F. Sulaiman]

While it is arguably true that most - if not all - open source software is more secure than closed-source software via community contribution, security itself is never guaranteed and largely depends on how software and systems are implemented.

Some Linux distributions are reasonably secure out-of-the-box because the distribution maintainers chose to provide a default set of configuration options and technologies (e.g., SELinux, strict PAM/Systemd rules, firewall enabled by default, etc.). However, the user can still choose to install that Linux distribution on a system without a trusted boot chain and without LUKS-encrypted volumes, as well as configure it in a way that accesses other systems insecurely.

Even then, nothing is remotely close to 100% secure, which is why those working in Cybersecurity have to have a sense of humour.

So, perhaps a better way to answer that question is to compare secure out-of-the-box Linux distributions (like Fedora) to macOS, BSD and Windows.

• On M1 hardware, macOS is arguably just as secure as that Fedora Linux distribution because of the strict enforcement of System Integrity Protection (SIP) alongside the total isolation of system folders from the userspace.
• On a system with a TPM, both Windows 10 and 11 are also arguably just as secure if you enable hardware-assisted security (anomaly detection), protected folders (anti-ransomware), and core isolation (process isolation) within the settings of Windows Defender, since only Defender antivirus is fully enabled by default.
• BSD UNIX flavours (e.g. FreeBSD) contain equivalent security technologies as Linux, but almost always need to be manually configured (there is no out-of-the-box secure BSD flavour to my knowledge). But this is less of a concern since BSD is only used by power users who will likely configure those security features anyways.

Moreover, most Windows and macOS components/frameworks that are the target of CVEs are actually open source, so they benefit from the open source community releasing rapid updates. And with the rise of Cybersecurity focus in recent years, the remaining few proprietary components are often fixed quickly by Microsoft and Apple (the amount of open source components with a permissive MIT license in Windows and macOS is staggeringly high!).

So, I guess you could say that "Today, certain Linux distributions are secure out-of-the-box, but not dramatically more secure than macOS or Windows or even a well-configured BSD system. The most secure computer you'll find today is a Commodore 64."

WoW. Thank you Jason W. Eckert ( @jasoneckert ) for your insightful thoughts. Your reply is full of accurate and solid technical facts which I may need to read dozens of books to gain these facts. You summarized all the valid points in a very wise and professional manner and that for sure reflect your extensive expertise in the Linux field and that is why I started now reading your valuable Linux + and LPIC-1: Guide To Linux Certification (5th edition). Again thank you sooo much for your time and effort

Note: By the way, My book (5th edition) does not have the Appendix E: Configuring the Windows Subsystem for Linux at the end of your print book hardcopy that I have. I do not know why, How I can get that appendix? Any hint?
Warmest Regards.

 

[jasoneckert]

Note: By the way, My book (5th edition) does not have the Appendix E: Configuring the Windows Subsystem for Linux at the end of your print book hardcopy that I have. I do not know why, How I can get that appendix? Any hint?
Warmest Regards.

No problem! Cengage may have omitted that Appendix because Microsoft has since dramatically simplified the steps to configure WSL following the original publication of the book, making that Appendix no longer relevant. Now, just running wsl --install from a command prompt in Win10/11 installs all components as well as the Ubuntu distribution (yes, it's now that easy!).

You can then run the ubuntu command to access it (or click Ubuntu on your Start menu). Installing other distributions is equally easy - just install them from the Windows Store and run the associated command (e.g. fedora) or click on their Start menu icons.

In my next edition, WSL will merely be a side note

 

[Akram F. Sulaiman]

No problem! Cengage may have omitted that Appendix because Microsoft has since dramatically simplified the steps to configure WSL following the original publication of the book, making that Appendix no longer relevant. Now, just running wsl --install from a command prompt in Win10/11 installs all components as well as the Ubuntu distribution (yes, it's now that easy!).

You can then run the ubuntu command to access it (or click Ubuntu on your Start menu). Installing other distributions is equally easy - just install them from the Windows Store and run the associated command (e.g. fedora) or click on their Start menu icons.

In my next edition, WSL will merely be a side note

Million thanks @jasoneckert . For sure I test drive it and see its glory

Best Regards

 

[Gregory Childers]

Nothing is secure permanently. It may be secure....for now. But given enough time, resources, etc. everything is hackable.

And saying "the community" will keep it secure is like saying "the community" will keep Wikipedia accurate. A malicious actor could edit the source code just like anyone else.

It's all about risk management and defense in depth.

 

[Brian Ford]

When I teach Linux+ course to students, I normally start stating that one of the pros of Linux is that it is open source and secure.

Immediately many students start wondering and asking me the following question.

"If Linux is open source software, which means that all its source code is available on the internet, this means that all the bad guys (crackers) over there on the internet can see its inner code and may discover any weaknesses on the OS's code and exploit that weakness for their benefits. Then how you are telling us that Linux is a secure OS?"

Can you please help me on how to reply to their worries and answer this viable question? Any hints?

Million Thanks

I'm going to go contrarian on you all.

Linux is open source. Agreed.

Most Linux distributions can be configured to be secure from a wide variety of known threats and vulnerabilities. There are many distributions of Linux. The default security posture of different distributions varies. Different distributions have different support communities; sometimes thousands of supporters and other times just few. I would suggest that some lesser known distributions of Linux probably have no active supporters (meaning that they receive and respond to vulnerability notices in a timely fashion). And then there are the open source utilities, tools and libraries that go into Linux and also vary based on distribution. Again, all community supported. Just look at all of the attacks on crypto libraries (SSL and TLS) over the past 10 years. All of these points go back to the differences between closed and open source software.

So I would agree with your students that the statement "Linux is open source and secure" is over reaching.

 

[Rick Butler]

Nothing is secure permanently. It may be secure....for now. But given enough time, resources, etc. everything is hackable.

And saying "the community" will keep it secure is like saying "the community" will keep Wikipedia accurate. A malicious actor could edit the source code just like anyone else.

It's all about risk management and defense in depth.

Reminds me of something that @Lee McWhorter has mentioned a number of times in his TTT's - the VSFTPD 2.3.4 exploit - an intentional backdoor that was created by a trusted member of the VSFTPD team that opened port 6200 on a remote system. So Greg's point is also very valid - when you bring in folks from the community, for ANY project, closed or open source, the possibility exists that a member of the dev team can be a bad actor.

There are other remedies in the security world for this, such as third-party auditing of code, which gets another set of eyes on code before it ever gets to production. We can layer security, one right after the other, to prevent just about anything from happening. But as we all know, adding more security gets expensive and inconvenient, and to the point to which as @Brian Ford alluded, open source can break down if you don't have a robust community to support it. And even then, it's never 100%.

Goes back to one of my first points - there is no such thing as absolute security - there are no silver bullets. Trust makes things a lot easier, but it opens a person or system up to vulnerability. And security is a direct function of what a client's risk appetite is like. @jasoneckert made the statement of "reasonably secure out-of-the-box", which implicitly says, "good enough for some uses". But when paired with the other tenants of security, good enough may not be "good enough". It might be good enough for day to day operations at a career college, but if the system is being used to process DoD Top Secret material, that changes the standard.

That's why I said security is about risk management. I don't often find IT specialists, even ones working in security, who conduct risk management and risk assessments of their infrastructures. No risk registries or P&I charts. What we often see, are blanket approaches to security, with security practices being applied because "it sounds like a good idea, why not?". Buy this firewall solution, buy that SIEM package, transfer whatever risk we cannot mitigate. Simple, right?

But again, more security is less convenient. More security is more expensive. Coupled with that, we find ourselves going back to the "good enough" principle - we just have to be sure that "good enough" principle is based on objective qualitative and quantitative analysis, not just the advertising and/or reputation of a particular software product, or whether or not it's open or closed source.

/r

 

[Tess Sluijter]

Linux is secure. The security comes from the fact that the entire community oversees its development and maintenance. With the entire community involved it is considered safe to use.

Another aspect to consider is that because of how it operates, it becomes somewhat secure because of a lesser form of familiarity.

I vehemently disagree with both these statements and Rick has explained pretty well why.

The notion that open source software is "safe and secure" because it's inspected and tested by a community is an ideal which in reality isn't upheld. Case in point, projects like OpenSSL, Log4J and so on are run by skeleton crews who get by on the bare minimum. With devastating issues as result.

And as Rick points out: obscurity does not equate to security. It's actually a false sense of security. See also the "MacOS is secure because nobody uses it" falacy.

 

[Tess Sluijter]

That's why I said security is about risk management. I don't often find IT specialists, even ones working in security, who conduct risk management and risk assessments of their infrastructures. No risk registries or P&I charts. What we often see, are blanket approaches to security, with security practices being applied because "it sounds like a good idea, why not?".

Mate, if we ever meet I'm buying you drinks. I can't agree more.

Risk management and threat analysis is skipped everywhere. My current team works very hard to introduce DevOps squads to threat modelling, getting them to integrate it into their design phase (which will also bring many other benefits).

 

[Brian Ford]

I vehemently disagree with both these statements and Rick has explained pretty well why.

The notion that open source software is "safe and secure" because it's inspected and tested by a community is an ideal which in reality isn't upheld. Case in point, projects like OpenSSL, Log4J and so on are run by skeleton crews who get by on the bare minimum. With devastating issues as result.

And as Rick points out: obscurity does not equate to security. It's actually a false sense of security. See also the "MacOS is secure because nobody uses it" falacy.

All true Tess. And remember that many of the SSL vulnerabilities impacted commercially developed and supported products that used (but did not exhaustively test) community developed libraries. And Linux is open-source!

 

[Rick Butler]

Mate, if we ever meet I'm buying you drinks. I can't agree more.

Perhaps someday, it will happen. A future Partner Summit, perhaps.