Linux ain't Secure

Linux ain’t secure people


Linux platform comprises of people who are mainly seeking better privacy and security than what the proprietary desktops can offer. But it is extremely unfortunate that the Linux Developers do not care for your security and definitely does not make it with the threat model of Desktops/Phones in mind. The majority of the Linux market share is in the server space where competent people patch and keep their server secure. It is not something you can do in a click. Most of the distros do not have basic app sandboxing, verified boot or secure boot (Only Fedora and Ubuntu does this, they get a lot of hate from the community for that).

Linux kernel lacks some of the basic security features every other kernel has. It’s important to note the distinction between Linux and Unix kernel. The BSD kernels are miles better in terms of security compared to what Linux offers. It’s not “Secure by Default". It requires you to make it secure.

Centralized Point of Failure

I have often seen this argument where Linux enthusiasts claim the repos are a good way of getting apps instead of scouring the web for search for executables. But do keep in mind that the repos can be a single point of failure. The repos sure are a good way of getting stuff, but they need to implement good security practices, Hash verifications, Compiling with secure flags, Downgrade prevention, Fs-verity, Signature verification, TOFU etc. The way Android does it is very secure and can be a good inspiration.

Linux is secure because people don’t use it

That’s “Security through Obscurity”, not a very good approach of keeping your PC secure. A thing is only secure when it’s made to be secure from the ground up, like ChromeOS, Android, QubesOS, Whonix, IOS etc. “Hardening” aka “Turd polishing” does not help much.

Where stuff gets worse….

Let’s say your threat model is that of a regular old citizen and you don’t care about all this nonsense. You use Linux just because you like the looks, can customize it to your heart’s desires. Go ahead….use Linux. More power to you.

But really where stuff gets worse is in cases where lets say a regular citizen who had been fed all those lies gets a sensitive stuff about a country abroad. Now this person does not have his Government in his/her threat model or Google in his threat model. This person will try to store all that info in his “Unbackable” Arch Linux and we know what happens next.

Misinformation can be a very dangerous tool as demonstrated above. It is important that we have the correct information and deal it the right way.

A thing being Opensource doesn’t make it secure.

I will quote Privacy Guides Here-

These myths stem from a number of prejudices, but the source-availability and licensure of a software product does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you need to look at the reputation and security of each tool on an individual basis.

Open-source software can be audited by third-parties and is often more transparent regarding potential vulnerabilities than their proprietary counterparts. They can also be more flexible, allowing you to delve into the code and disable any suspicious functionality you find yourself. However, unless you review the code yourself there is no guarantee that code has ever been evaluated, especially with smaller software projects, and the open development process can sometimes be exploited by malicious parties to introduce new vulnerabilities into even large projects.4

On the flip side, proprietary software is less transparent, but that does not imply it is not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering.

At the end of the day, it is vital that you research and evaluate the privacy and security properties of each piece of software being used and avoid making decisions based on biases.

P.S-I don’t hate Linux in any way. I pointed out the flaws in it. that’s all. Much love to Linux devs for their awesome work, and much love to the community on general (Except Arch community maybe?)

1 Like

Ok,… what about Unix? OpenBSD or maybe FreeBSD?

This is correct. However, whenever I hear people talk about Linux, it’s for privacy, not security. People like it due to having no or little data collection in most cases, being open source, etc. Personally, I have never heard anyone claiming Linux is secure

1 Like

Got to any subreddit with Linux or privacy attached to it. Youtubers such as Mental outlaw, Distrotube also make this type of content stating Linux is secure and how it respects your freedom which is utter bs.

Yes they are fine. Linux is the problem not Unix.

What OS are you using?

Windows/Kali Linux for work, Graphene(Android) on Phone.

And an IPad for taking notes and stuff.

interesting.
What are your thoughts concerning the use of Kali Linux vs. an Arch install vs. FreeBSD or perhaps even a Mac OS?

Just recently I was looking at this video from Techlore:

Do you have any thoughts or even arguments about this video?

1 Like

You shouldn’t use Kali Linux for anything other than Pen-testing or cybersec. stuff.
In Arch you need to set all the kernel parameters and Apparmor (SELinux Support is unofficial) and tons of different things suited for an highly advanced user. Also when using the AUR manually verify the PKGBUILDS yourself for malicious code.
FreeBSD is “Secure by Default” but lacks most drivers apps are not updated well enough, many are not even available. I wish they were, but sadly they are not.

I would recommend MacOS. It’s has good security practices, the Secure Element and a Full Verified Boot Support and strongly sandboxed apps makes it really good for general use.

The video is good. I wish the “HARD part” were extended to a step by step demo for novice users. So I wouldn’t consider it a complete hardening guide.

Even if you followed through the HARD part the fundamental insecurities present in Linux cannot be mitigated very easily and many apps would break.

I have, but it’s not a straight up “Linux is more secure”. It’s more of a " Linux can be more secure"

Well there is SELinux and other hardenings. Even very minimal measures post-install that almost anyone can do is a lot more privacy preserving than Mac or Windows and much more secure than Windows which almost seems made for spying and hacker targeting. So while undoubtedly Linux can be improved we always have to keep in mind “compared to what”. At least with open source there is the ability, not guarantee, of examination and fixing vulnerabilities without depending on some perhaps NSA compromised corporation.

Crazy thought but here goes anyway. Anyone ever thought about putting Mac OS on their hardware? please be nice and don’t beat me up too much.

Don’t think that’s a good idea as the verified boot will not work, Secure element and lot of security features will be missing.

Use Windows or ChromeOS.

1 Like

Lots of Apps won’t work rendering your computers unusable, depends how far you go. (Given you follow through Arch Wiki Security Guide)

Linux is privacy-friendly but not secure. It’s important to make the distinction.

But one could also argue that a system which is not secure cannot be private.

Linux is the least secure system falling even behind windows.

1 Like

Yes, but also not without hours upon hours upon hours of hardening it yourself. Stuff like CFI doesn’t really exist in Linux, whereas it does on Windows. If you actually harden your system, a lot of software will no longer work, your system will be slower and so on.
Linux and security does not go together well, rather the complete opposite.

This is important. If your system lacks sandboxing for example, a simple web app could access your whole system in the worst case. So the installed applications itself might be private, but due to a lack of security, your actual system isn’t.

I hope you know that the way most distributions compile software is not secure. If you truly want a system with security that can be compared to Windows, be prepared to get into compiling software yourself with clang.
CFI is important, but not achievable with gcc (surprise, most distributions use gcc). So unless you compile your software with clang and the -flto -fvisibility=hidden -fsanitize=cfi compile flags, you are unable to achieve security that can be compared to Windows without making Linux look awful.
If you’re interested in the whole “lowlevel” hardening you should do: Linux Hardening Guide | Madaidan's Insecurities

Since this question isn’t being addressed: This is what I prefer as the best overall balance of privacy/security/compatibility/time commitment/knowledge required to use. Especially for people who aren’t technical, and want to use an OS with formal support.

The missing context in this thread is that security is highly relative to a threat model. I see a lot of: “X is more secure than Y therefore X is insecure and you shouldn’t use it!” It’s the security equivalent of people who do this from a privacy POV (“Why would anyone ever use a VPN when Tor is better than it in every way”) or (“Why would I ever use MacOS or Windows when Linux is more private”) when in reality all these mentioned tools have pros/cons that will fit user’s needs differently.

My experience has been: Anyone who says “USE X” blatantly, making that decision for others is not someone I’m going to be looking to for advice. Generally, they’re more concerned about pushing their own beliefs than genuinely trying to understand the individual and what they need/want. At least this has been my overwhelming experience. Even the title of this thread “Linux Ain’t Secure” is bizarre; given countless servers in the world are built on Linux, many individuals with high threat models use and rely on Linux, even many governments rely on Linux - clearly it can be secure given certain circumstances. And even then, the definition of what is ‘secure’ is going to drastically vary by individual.

3 Likes

I have addressed the issues present in many Linux Distros and the default Linux kernel. I don’t think anyone in server space, government uses the Linux kernel as is. They usually harden it to a large extent which is near impossible for anyone that doesn’t own a cybersecurity degree. Also anyone setting such parameters would cause apps not to work.

I don’t know that. If may, who are they?
(Do note Qubes is not a Linux Distro and Snowden using Tails doesn’t count as ‘using’ Linux.)

Such is not written in my post. I requested people not to spread misinformation regarding the state of Linux Security. The privacy/security community likes to believe that Linux is more secure than Windows or Mac when such is not true (Go to any Linux subreddit). I am not against anyone using Linux.

Let’s say your threat model is that of a regular old citizen and you don’t care about all this nonsense. You use Linux just because you like the looks, can customize it to your heart’s desires. Go ahead….use Linux. More power to you.

Edit it as you see fit.

@Dom0 What set up do you have? How did you configure your OS it to the point where you felt it was secure enough to use as your daily driver?

Hackintosh has been around a while. But I find Linux much better than MacOS even before Apple made it less usable.