Newbie question : the impact of linux on the security industry

[ashish_singh_2010]

Joined today, complete newbie to computer science and linux.
From whatever little i read, it seems that linux is much more "secure" than windows(which i use).
Will a steady increase in the popularity of linux reduce the business of security companies that (i believe) depend on the insecurities of windows ?

Any insight into this is highly appreciated.
ashish.

[ashish_singh_2010]

Sorry, bouncing it ! I hope thats allowed.

[JBorneu]

When comparing a modern Linux distro with Windows Vista / Seven or their server counterparts, Linux in itself is not more secure.

It used to be that Linux was a lot more secure than Windows, because Linux distro's are designed to be a multi-user environment connected to the internet, while Windows used to be a single user stand-alone desktop OS. From Windows Vista on, however, with the implementation of user account control, DEP, the new Windows firewall etc. Windows is a very secure operating system -if and only if used correctly, off course.

This does not mean you should become any laxer about taking security measures. Any OS contains vulnerabilities and no computer system will ever be 100% secure. Software is developed by humans, humans make mistakes / install deliberate backdoors so there will always be vulnerabilities in every OS.

Now about the security business: On the contrary. At this very moment, there is virtually no malware for Linux because it is not economical to develop Linux malware. As the number of Linux users grows, it will become profitable for malware developing companies to create linux malware. (Make no mistake, most of today's malware is developed by underground companies with large teams of hackers, not by loner geeks in cramped basements.) At the same time, the number of uneducated users who know next to nothing about proper computer usage will rise. This means a lot of people who think "Linux viruses don't exist and I'm bulletproof because I use linux" and don't bother keeping their systems clean, up-to-date and secured, in other words: easy targets. Now as the malware developers start attacking Linux, the security companies will suddenly find a whole new market begging for simple security solutions. Plug-and-play firewall frontends and anti-malware suites like they exist on Windows are severely lacking in functionality - if they exist at all - on - Linux.

Thus, in my opinion, if the Linux userbase grows exponentially, the security business will not suffer at all, except for the companies who won't bother developing Linux security solutions.

[ashish_singh_2010]

At this very moment, there is virtually no malware for Linux because it is not economical to develop Linux malware. As the number of Linux users grows, it will become profitable for malware developing companies to create linux malware.

True, the economic factor is very important in the development of for-profit malware. I too feel that linux will suffer the fate of windows when its popularity increases. But, my "linux friends" say that this is a fallacy. However, none of them has given any proof for their assertions. where can i get some proof/explanations for this. I might not understand all those, but its worth looking at.

BTW , the windows 7 UAC feature is irritating as it prevents some legal-software from installing correctly/registering itself etc. But, malware can easily bypass all those features - which i learned the hard way.

[elija]

Well, it's a partial fallacy. Linux is far more secure by design but no operating system can protect against (and I'm not kidding here) the kind of stupidity displayed by a legal secretary interviewed on the BBC when the I love You virus was rampant, who said, and I quote "Of course I'd heard of the I love you virus, but *giggle* I had to open the mail didn't I? *giggle* it said "I love you"

And we want these people using Linux?

[Etna]

When comparing a modern Linux distro with Windows Vista / Seven or their server counterparts, Linux in itself is not more secure.

It used to be that Linux was a lot more secure than Windows, because Linux distro's are designed to be a multi-user environment connected to the internet, while Windows used to be a single user stand-alone desktop OS. From Windows Vista on, however, with the implementation of user account control, DEP, the new Windows firewall etc. Windows is a very secure operating system -if and only if used correctly, off course.

This does not mean you should become any laxer about taking security measures. Any OS contains vulnerabilities and no computer system will ever be 100% secure. Software is developed by humans, humans make mistakes / install deliberate backdoors so there will always be vulnerabilities in every OS.

Now about the security business: On the contrary. At this very moment, there is virtually no malware for Linux because it is not economical to develop Linux malware. As the number of Linux users grows, it will become profitable for malware developing companies to create linux malware. (Make no mistake, most of today's malware is developed by underground companies with large teams of hackers, not by loner geeks in cramped basements.) At the same time, the number of uneducated users who know next to nothing about proper computer usage will rise. This means a lot of people who think "Linux viruses don't exist and I'm bulletproof because I use linux" and don't bother keeping their systems clean, up-to-date and secured, in other words: easy targets. Now as the malware developers start attacking Linux, the security companies will suddenly find a whole new market begging for simple security solutions. Plug-and-play firewall frontends and anti-malware suites like they exist on Windows are severely lacking in functionality - if they exist at all - on - Linux.

Thus, in my opinion, if the Linux userbase grows exponentially, the security business will not suffer at all, except for the companies who won't bother developing Linux security solutions.

It is already happening.

If you have been reading the news, you would have been fully aware that huge companies like Sony, Nintendo and even the CIA had their servers hacked into by bored, not-for-profit hacker groups like Anonymous and LulzSec. Assuming the statistics are true, and that more than 60% of the world uses Linux for their servers, then it just goes to show that Linux is indeed breakable, since i'll willing to wager at all the 3 high-profile companies i mentioned above are very likely to be using Linux to power those very same servers that were hacked and forced offline with huge chunks of personal information compromised.

And even if you don't want to talk about the server side of Linux, even the mobile front of it has already been hit. For the past few months, the Linux-based Android operating system for smartphone have been making headlines over the presence of malware hiding in rogue apps that have somehow managed to find their way into the official Android Market apps repository.

[Etna]

BTW , the windows 7 UAC feature is irritating as it prevents some legal-software from installing correctly/registering itself etc. But, malware can easily bypass all those features - which i learned the hard way.

If that happens, you can temporarily turn off UAC to facilitate the installation of that one application, then turn it back on again if needed. Worked in Vista, and I'd expect it will work in Win 7 as well. After all, SELinux in Fedora also has the annoying tendency to block some of my services, enough to justify switching its 'enforcing mode' from 'strict' to 'permissive'.

And anyway, as pointed out, not even the most intrusive security features can protect an OS if you have a user dumb enough to click 'OK' onto every single installation promt that pops on. Very disappointing to see how a powerful security mechanism in Windows is rendered completely ineffective and useless due to the actions of more-stupid-than-stupid users who refuse to learn good computing habbits and are stupid enough to let themselves get tricked into downloading and installing malware.

[Jonathan183]

Will a steady increase in the popularity of linux reduce the business of security companies that (i believe) depend on the insecurities of windows ?

Security is dependent on the knowledge and skills of the system administrator and the behavior and understanding of the end user.

The increasing use of Linux as a desktop system for home users will mean the system administrator and user are likely to be the same person. That means bad habits like run as root and poor use of sudo are more likely to develop, as it's seen as an easier way of doing things.

I think distros will end up enforcing things like only permitting administrator to perform limited functions, and stop them being able to run applications like web browsers and media players. This will improve security and effectively prevent system wide attacks via applications like web browsers. This will not stop a particular user account being compromised, but I think that will be tackled at individual application level.

I don't think the pay for security approach will necessarily work with Linux, since system configuration tends to be plain text rather than binary. Given the choice I'd much rather setup a Linux install to be secure rather than a Windows install ... but that's just my opinion