I’m tired of this myth

I had a discussion today with someone who maintained with confidence that “If Linux were as popular as Windows, we’d be seeing just as many viruses and just as much malware for it as we see now for Windows”.

While that argument might hold true for desktop users, to an extent, the focus of the discussion was essentially (from his point of view) that “Linux is no more secure than Windows”, fundamentally.

Which is false. When I pointed this out, it was dismissed as simply my opinion, but I believe that he’s stuck in a logical fallacy in this assertion.

Larger targets don’t equal vulnerabilities

The part that most of the “Linux is virus/malware free only because it’s so small in marketshare” argument that bothers me the most is that it’s intellectually dishonest. It’s skewed, because it usually only refers to desktop installations and user space.

The fact is, according to Netcraft, Windows only makes up about a fifth of all web servers… the rest are mostly Unix/Linux, with Linux making up almost a third of all web servers (significantly more than Windows).

With 3/4 of the world’s web-facing servers out there running Unix and Linux, by the “popularity = more exploits” argument, the Unix and Linux servers out there are the ones most targeted, right?

Nope. If you’re a script kiddie wanting to take over a website, you target ones hosted on Windows. Why? Not because they’re more popular… they’re clearly not. But because they’re considerably easier to exploit.

Yes, any server — even Linux/Unix — that isn’t configured properly and managed correctly and kept patched and locked down can fall to black hats out there. As some like to point out, “Security is not a product, it’s a process.

Windows might be more popular on the desktop, so a lot of user-targeting happens there, and that’s definitely a factor.

But when you look at things overall from a security/exploit perspective, the “Linux isn’t as popular” argument doesn’t hold water, because that argument too often simply doesn’t take into account that Windows servers are a very significant minority when it comes to the web, and yet they’re still the “low hanging fruit” for hackers and crackers out there looking to “pwn” a website.

Android is pretty much Linux, and isn’t malware on the rise there?

The argument that individual with whom I was discussing this today should have been making was that “Android is the most popular mobile platform out there, that’s why it has the most malware.”

While it’s true that the Android core kernel is basically Linux, most of what’s going on that’s being exploited on Android is in user space, i.e., the graphical arena in which most users are operating, through which most data is passing, and most of the easily exploitable (and probably least vetted and scrutinized) application code is running.

That does make it a popular target. But is it really the “Linux” in Android that is making it exploitable?

No. What makes it exploitable is Dalvik, which is Google’s “clean room” implementation of Java.

You know. Java. A cesspool of patch swarms dealing with security issues that are potentially catastrophic. Is Dalvik Java? Not according to the court system, it’s not.

But Linux isn’t Unix either, and in most cases, the architectures are so similar you can run Unix applications on Linux systems and vise versa, often without even recompiling them.

The malware issues facing Android are due to its upper layers, that insecure, hole-ridden user space.

If Linux became as popular as Windows on the desktop, it would likely have some malware issues like Android has, but they’d be exploits of the user space, whatever desktop environment was running on top of Linux, but far less likely to be exploits aimed at the kernel itself.

Because the kernel, by Linux’s architecture, is far more protected from programs’ access and user space shenanigans than Windows… in Windows, even if you give a garden variety guest account access to a printer, there is suddenly a direct line of elevated access to the Windows kernel.

This is why even a Windows user with basically no privileges can manage to have their workstation compromised by a simple website drive-by attack.

In Linux, the most that would happen is that you might compromise the user space, the desktop environment that sits on top of the Linux kernel, but has — by design — very limited interaction with it, because unlike Windows, Linux was designed from the ground up with security and multi-user considerations fundamentally in mind.

The end of my rant

In conclusion, this argument bothers me, because it grossly misrepresents Linux as basically “security through obscurity”, when nothing could be further from the truth. Yes, malware and viruses do exist for Linux systems, and yes, Linux can be compromised — what OS can’t?

But the ways Linux can be compromised, and the severity of it are very different compared to Windows, and because Linux is still quite popular in what is arguably a much larger web-facing server target world than Windows will ever be in our lifetimes, the “popularity” argument is pretty easily dismissed.

I think one of the key differences between myself and the individual with whom I was discussing this is the simple fact that I have a foot in each world: I’m an experienced, savvy, knowledgeable Linux expert. But I have also been a Windows admin for even longer.

I know how Windows works compared to Linux. I know the key, fundamental differences that differentiate the two platforms that paint the clear picture of why Linux would still be not as much of a security problem as Windows is now, even if the popularity situations were reversed on the desktop.

Whereas the individual with whom I was having this discussion doesn’t. He’s a Windows admin, always has been, and still thinks Linux is “too hard for regular people to use”, because he sees it as simply a convoluted command line only operating system that’s only usable by techies and hardcore computer experts.

And admit it, if you’re reading this, in all likelihood, you’re probably laughing at that last part. Because you probably know better than that too, if you’re here.

So like a lot of misconceptions, I think his largely comes from a simple lack of information and a lack of experience with the full subject.

I haven’t encountered this kind of belligerence from this kind of position of ignorance on the subject in quite a while, so I was a bit taken aback.

And there’s no amount of arguing that can convince someone like that of the reality. All I can do is shrug and say “well, you have your opinions, and you’re of course welcome to have them”. Only time will tell, after all.

Will we ever see the Windows and Linux situations reverse on the desktop? No, I don’t think so, so we’ll probably never get the chance to prove people like that guy wrong. But I don’t think that matters much. His argument was immediately revealed for what it was when he said that Linux wasn’t usable by non-technical users.

— Trent


6 thoughts on “I’m tired of this myth

  1. Hi Trent,

    Yes I agree! By the way, please don’t repeat a second myth, namely “Java is dangerous”. Java is a *language*, how can a language be unsafe? What is meant is that some Java Runtime Environments in browsers are unsafe. In the sense that they don’t stop malicious applets that take too much privilages (such sending e-mails etc). The malware in this case is the malicious applet, the vulnarablilty is in the JRE in that browser. Has nothing to do with java as a language. The same problem happens with i.e. Flash or Silverlight. Java applications that run on the desktop or server are of course not touched at all by this problem.

    BTW, I just discovered this blog, as a linux desktop user I like it a lot!

    A pet peeve of mine is “the linux desktop failed”. Which basically says “small market share = failure”. In that vein, Ferrari fails (lost to Honda and Volkswagen), classical music fails (Rihanna rules), haute couture fails (face it, the market votes for H&M). We should look in terms of user experience, stability, efficiency, availability of software, innovation and so on. In nearly all aspects Linux “rules”. I would prefer a larger market share though, so that Linux has more influence on hardware. I would *love* to see shiny new laptops with open hardware (bios, graphical cards).

    • Thanks for the comment!

      Yes, of course you are right with respect to Java. The JRE is what I was referring to when I brought up those security concerns. In reality, any platform like that that runs in userspace can be an attack vector, particularly if there are unpatched vulnerabilities — regardless of what OS one is running!

      Likewise, I don’t see Linux’s small desktop market share as a failure of any sort. In fact, I really like your examples of other high quality products that have low market share that are ALSO most certainly NOT failures. 🙂

      Thanks for reading, and thanks again for the insight!.

  2. About the existing virus on Linux – there’s been a few, but them being and them being alive are different.
    Correct if wrong, but firstly there hasn’t been new ones for long (over 15 years?), and 2ndly, the actual ones documented, probably most if not all, would crash or be terminated if you tried to execute them on a modern – meaning any since at least 2.4, if not 2.2 – kernel.
    Still, a bot can use a vulnerability to register admin level user for blog platform one runs on apache server on Linux, but that’s not really a virus, and the flaw that led to this on my home web server was fixed in WordPress as quickly as that serious flaw ifs fixed if found on kernel.
    That was NOT a Linux flaw, in fact I dunno if it could be worse under Windows with IIS + PHP… I think I recall that MS allowed Windows let some critical parts of IIS run on CPU Ring 0, which we know also as kernel space – not even Unix root or Windows System “user” account lets one run code in kernel space. Meanwhile, apache, which needs root capabilities, will after starting switch down to less privileged account of it’s own, for security.

    • Some of those critical components running in ring 0 that you mention are actually formally verified (mathematically proven correct). Most notably the HTTP implementation, HTTP.sys. And Linux now supports TLS in ring 0, which I don’t much enjoy the sound of. Not that the way IIS works is necessarily good… Just wanted to point that out.

      Fun fact: Linux used to have a web server in ring 0, called the Tux web server. There is even an obsolete system call for it, tux().

  3. Pingback: Why I Use Linux | The Linux Critic
  4. This is definitely a useful resource for people who are under the impression that Linux is the new Mac (“zomg lol no viruses!”), but it would be nice if it also included some technical details, like Windows’ higher quality malloc implementation or the Linux kernel devs’ lack of focus on security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s