Why do people have the general conception that Linux/BSDs are secure?

What it says in the title. I am curious to know why people think this way.

P.S- Don’t post “Security through Obscurity” arguments or “Linux has centralized repos therefore Linux more secure” arguments. They are cringy to read.

  1. People seem to believe that being open source, means that the software is secure/private. “If there was any privacy/security issues we’d know about it, right?”
  2. Windows has been marketed as an insecure platform, by many companies, over many years. As of yet, this hasn’t happened to Linux.
  3. Lack of understanding of the platform, and the software that’s used. Not to mention misinformation that gets spread, by people who don’t know what they’re talking about.

Windows has it’s fair share of flaws. Lack of proper sandboxing of it’s apps , insecure C++ code in it’s kernel and a lot more. But atleast Microsoft is trying to secure it. Their latest Windows 11 has a lot of security features with TPM 2.0 requirement. Microsoft is also adapting Rust. Windows also has ACG CFG and most of it’s store apps are well sandboxed. Their most remarkable being Edge’s secure browsing which loads Edge in a Hyper-V container therefore protecting the user’s computer.

  1. Windows remains the dominant platform, so it’s the one that gets targeted by the most viruses. Even the second most popular desktop OS, Mac, had (still has?) the reputation of being “virus-proof” compared to Windows, so naturally, an even more obscure OS like Linux would have an even greater reputation for not having malware.
  2. Somewhat related to 1. The type of people using Linux tend to be people who are already proficient with computers, which reduces the malware cases of Linux users even more, which makes it seem even more secure.
  3. Privacy/security mix-up. Linux gets talked about as private, and people misremember/misinterpret that as people saying it’s also more secure.
  4. It’s the “Hacker OS”. Of course, it’s going to be more secure. Only the geeks and programmers use it.

Of course, the centralized repo and the open-source stuff is also a thing, but y’all already mentioned it.

This is a bit of a stretch, but I also feel like Linux, more than any other OS, feels like the cool club. So people tend to have the urge to proselytize or “convert” other people to using Linux, and to convince people, they start listing reasons why Linux is the best, which includes it being “really private and secure”.

Because of that, the security of Linux becomes part of the general consciousness around it, more so than any other OS.

Richard Stallman and dumb youtubers like Luke Smith, Mental Outlaw, Distrotube, Rob Braxman, Chris Titus Tech etc…(these guys think Debian is the most secure OS and thinks Qubes isn’t needed.)

The collective foolery of mature middle edged man spewing shit on Youtube who spew shit without having the slightest idea what shit they are talking about is astonishing but not surprising. Boomers lol.

This is rather reductive and rude to say and doesn’t actually add anything to the discussion. Perhaps you should start your own channel and show us how it’s done?

Why do people have the general conception that Linux/BSDs are secure?

I am not under the assumption that Linux is particularly secure but it offers much better privacy out of the box.

However I think that OpenBSD takes the right approach with security, I like their security first approach. OpenBSD improves on a lot of areas where linux fails; small code base, microkernel, proactive security and security by default.

I think that OpenBSD strikes a good balance between usability and security, I’d rather not use Qubes OS because I need to use applications that need hardware acceleration such as Kdenlive, the GIMP and Darktable. Qubes OS also has very high hardware requirements that mean that you need a very powerful system to be able be able to use Qubes without it being slow and cumbersome. Don’t quote me on this but I belive Qubes OS is only supported on amd64, this isn’t that much of a big deal however with the rise of arm hardware like Apples M2 and M1 (OpenBSD has already added support for both) people on that platform can’t use Qubes OS.

Here are some links to OpenBSD documentation that might be interesting reading:

https://www.openbsd.org/security.html

https://www.openbsd.org/faq/index.html

Does this apply to macOS since it uses BSD kernel?

1 Like

Not exactly, macOS has good security and usability but it was originally based on 4.4BSD-Lite2 and FreeBSD however I don’t think that it’s security is good because of that it’s just that Apple has developed their new technology with security in mind (secure enclave, filevault, system integrity protection). I think it might also be because apple makes the hardware they can implement better security measures in their operating system because they have control of the hardware.

I’m not entirely sure about this though because I’ve never used macOS just read stuff online.

I’ve never seen these names come up except for filevault.
But Linux got a much better CVSS Score(3.2) compare to macOS(7). Not sure if this is a good way to measure security when it comes to operating systems. I;ve seen it used with browsers
Linux: Linux Linux Kernel : CVE security vulnerabilities, versions and detailed reports
macOS: Apple Mac Os X : CVE security vulnerabilities, versions and detailed reports

3 Likes

https://isopenbsdsecu.re

The above website basically tells you about the useless mitigations employed by openbsd and why it’s not as secure as many deem it to be.

1 Like

Measuring CVEs is an incorrect way to measure the security of a platform. There aren’t any CVEs for Haiku TempleOS or Redux…does it mean they are secure?

1 Like

You should DM this guy I’ve been seeing around the discussions called Qubesfan. He seems to have a lot of the same opinions that you have. I think you’d like him.

First problem is that CVE counts have the same problem as using no. of reports as a metric in that you can’t immediately tell if the program is less secure or if there’s just more eyeballs on it.

Second and a much bigger problem IMO is that you’re comparing the Linux Kernel to Mac OS, which is more than just a kernel. On a regular Linux install, you’d also be using something like GRUB, X.Org or Wayland, your Desktop Environment, the login manager, etc. So to properly compare the two, you should be comparing MacOS to all of those components you’d be using on your install.

Linux is not more secure than macOS. Infact, it is not even remotely nearly as secure as macOS.

Linux for the most part lacks access control for apps. Flatpak and portal reduce some of this problem, but flatpak lacks granular control and no one is enforcing the usage of portals. As an example, controlling audio recording permission with Flatpak is a mess, as most things will just use the PulseAudio socket directly and you cannot deny them audio recording permission. You can revoke the PulseAudio socket, but that will deny both audio in and out. And this is only limited to apps which you install via Flatpak - any apps that you install via your package managers are not restricted whatsoever unless you spend hours and hours making an SELinux policy or AppArmor/Bubblewrap profile for each of them.

The X11 server on Linux is also a huge problem. Any X11 window can snoop on any other X11 window and keylog + screen record you. Nested X11 is not great for performance at all and its hard to enforce it system wide. Wayland solves this problem, but not all apps work with it yet, and XWayland windows can still snoop on each other.

None of the issues I described above exist on macOS. Unless you give an app elevated privileges, they all have to play by the rules with the permission system.

Linux also lacks the concept of verified boot or system integrity verification. In fact, most distros don’t even do UEFI Secure Boot right - the verification ends at the kernel and the initrd is left unverified, unencrypted and vulnerable to evil maid attacks. There is no protection against persistent malware whatsoever too, even if you manage to protect the initrd, because there is no verification that extends to /usr, /bin, /sbin, and various other directories. macOS on the other hand has proper verified boot from the firmware to the system volume, protecting it from both evil maid attacks and persistent malware. Beyond verified boot, it also has system integrity protection, limiting what the root user can do.

There are also various miscellaneous things that macOS has such as system-wide umask setting (as opposed to just the shell), app signature verification, and so on.

Telemetry on macOS, for the mot part, is optional. Unless someone can prove otherwise (by capturing it on the network or something), any claim about invasive telemetry will not hold. Also, remember that being open source doesn’t imply being trustworthy. You are still placing complete trust in whoever distributing the compiled version of your software (which will be your OS vendor most of the time if you use a traditional Linux desktop distribution) to not add nasty code in there and screw you over.

Some of Apple’s apps do have mandatory telemetry or lack E2EE sync, but that is about it - you can simply not use them. One annoying aspect about macOS is that they really want you to make an apple account to do a major macOS version upgrade via the App Store (though you can still obtain the installer via their CDN if you know where to look) and that they collect hardware IDs.

In short, macOS has superior security when compared to Linux, and privacy wise it is still a great option as it has great protection against the third party software that you install. It is not great for threat models where you require anonymity, but most people don’t have such threat models to begin with.

Some people will say Linux is targeted less and is therefore safer, but that is simply not true. Irrelevance != security. ReactOS/Redux/TempleOS is even less targeted than Linux, macOS or Windows because no one uses it, does that make it a secure operating system? And remember, malware for Linux does exist, and it’s not hard to make one either. The security model is so bad that it’s basically “if you execute bad code, you are screwed”. There is not even a need for an OS exploit to compromise your system if the app you are running is malicious. The OS itself doesn’t protect you from anything.

P.S- Refrain from calling me a Apple shill. Also please don’t counter my points with quotes taken from FSF Website. The comparison is purely from a security perspective and not “user freedom” or whatever that’s supposed to mean.

1 Like

Linux / BSDs are generally going to be more secure than windows. I think this mostly comes down to attack surface: windows is an enormous bloated mess that just keeps getting fatter and fatter. Every new feature introduces 2 new bugs, and no one has the ability to slog through windows code to debug things. Its why they have to continue to drop legacy support for programs that used to work in older version of windows; the only way to fix some of their security flaws is to completely rewrite the code, which breaks old binaries. Linux is also bloated, just not as much as windows is. Linux maintains bugs, The real reason ifconfig on Linux is deprecated | blog.farhan.codes

Much much easier to secure than Windows. I have watched to many video of Windows pros saying what can and can’t be done to believe otherwise. And open source where many eyes can examine for holes has inherent advantages. Also not having a owning company trying to make a buck tempted by walled garden tactics and all that juicy information about users and what they do with the products does help.

1 Like

Hate to disagree with you here, but you are outright wrong here.

For the rest of your post you don’t discuss the security of the operating system.

No, I don’t believe I am wrong at all about that. for instance take a listen to Windows is NOT Safe - YouTube
And please explain how say SELinux level of security can be had in Windows or even added by non-MS folks not allowed to see everything that may be relevant to guard in the OS.

I don’t have time, knowledge or energy to do a point by point OS level comparison myself. But I can point to some general characteristics that lead me to seriously doubt Windows can ever be made as secure as Linux.

System policies in Windows can be created contrary to your belief.

Linux has been shunned by people who understand computer security for decades now. We all know about Xorg and how “secure” it can be. The innumerous amount of memory leaks in Glibc and lack of CFI ROP JOP etc. Funny how Edge is regarded as a meme when browsers like Epiphany Falkon exists. And since you appear to be a SELinux fanboy here is some knowledge for you “SELINUX DOESNT DO SHIT. IT IS POWERLESS AGAINST MEMORY CORRUPTIONS.” Rust has been used in Microsoft kernels for almost what 6 yrs now? And somehow people are making a big deal about Linux getting it in 2022. And mind you that won’t bring about revolutionary changes in the state of security of Linux(mixed binaries), and would result in the opposite. And people don’t realise that most big tech servers use Hypervisors and then use Linux on top of it. There is compartmentalisation, no Xorg bs and a heavily stripped down system meant for server usage. Android/IOS/MacOS have the best security currently. Qubes is reasonably secure and Windows is decent in terms of security. Linux/BSDs are utter garbage. Cope with it Stallman.

i’m no expert, but how can a closed-source operating system which is intentionally designed with security flaws/back doors, be more secure?

Uhh…lets see, they are the only ones to come up with sane security for the desktop and mobile.

Stallman told you that or are you him?
Nonetheless I have a counter question for you…are you sure that the ~20 year old bug in XOrg is not intentionally delayed by NSA since the bug basically allows any running unprivileged app to log your keystrokes, log whatever you’re doing on the computer? Or how about “secure” Polkit handing over root password to any unprivileged app? U sure that’s not made by NSA? I call these kind of bugs “intentional back doors”.