Why Linux is more secure than Windows

By Jeff Silverman

The recent security breaches at Target and Neiman-Marcus have prompted a lot of discussion among computer experts and computer expert wannabes about the relative security of Windows and linux.  I am writing this essay to straighten the record.

  1. Windows users can install system software unless the system administrator locks down the account; Linux users cannot install system software unless they either know the root password or have access using sudo.
    How often have you come to a website where the site downloads some software which you then install on a system wide basis?  Happens all of the time in the windows environment.  By way of contrast, in the linux environment, you have to save the software, and then become root to install it.  Or sometimes you can install it on your own account, which means you can wipe out your own data, but not the rest of the system.  Critical systems, such as the web server are put in their own accounts, which ordinary users can't touch.
    Exception: there are several privilege escalation exploits when a process executing on a linux machine can escalate to root privileges.  See for example, scip.  This is a bug in the kernel.  Notice that the bug was fixed in three days.  How would a remote attacker exploit such a bug?  Generally, it can be done through sloppy software written in php although there are other attack vectors.  Lesson learned: any system can be exploited if you have bad application software.
  2. Linux can be installed in a Read Only Memory (ROM).
    Linux has a disciplined separation of software, configuration settings, and variable data.  Windows does not.  In linux, software goes in either /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, or /usr/local/sbin.  Configuration data, which changes rarely and need not change once the system is deployed, goes in /etc.  Variable data goes in /var.  It is easy to create a file system / on a ROM, and create a mount point /var.  The mount point is then mounted from a file system on a solid state disk (SSD) and can hold read/write data (/tmp can be symlinked to /var/tmp).  Once the OS and the applications are saved in ROM, then they are immutable: an attacker can theoretically get some software in RAM or on the SSD, but they cannot change the software in ROM.  Period.  By way of contrast, Windows has everything all mixed up.  Case in point: the registry.  Has to be on a writable file system.  If you have an application, it typically goes in a directory under C:\Windows and stores both the application software and application specific data in the same directory, so it can't be saved in a ROM.
    Where the software in ROM approach falls down is a phenomena called the Internet of Things.  Suppose a security vulnerability is found in software in ROM.  Then a technician has to go to each device with the vulnerability and change the ROM.  That's an expensive proposition.  There are lots (hundreds of millions) of devices that have been installed with software in ROM, that have known vulnerabilities, that have not been updated.  This is an ongoing problem for the entire internet industry.
  3. The Windows registry.
    The registry is a gigantic store of state information for a Windows machine.  Because applications manipulate it, it cannot be protected against the applications by the operating system.  When you edit the registry with the edit32.exe program, there are all kinds of warnings to be careful, lest the system be left in an unbootable state.  By way of contrast, there is only one configuration file that you would ever modify on a linux machine that would make the machine unbootable if you corrupted it: /etc/inittab, and you rarely modify it.  Each linux application that needs configuring on a system wide basis either has a configuration file in /etc or in a subdirectory under /etc.  By having a nice, clean separation of configuration, it is possible to modify the configuration of one application without messing up some other application.
  4. SELinux
    The National Security Agency (NSA) wanted to build a more secure operating system.  They needed the source code to the entire operating system.  The NSA went to Microsoft, and our friends in Redmond laughed at them and then politely said "no".  They went to the Linux people, and the response was "You don't need our permission - take it for free.  You can get it http://kernel.org/  By the way, if you need any help, just ask and we will help you for free.  All we ask is that if you change the source code, you give back the changes".  The NSA agreed.  They created SELinux, which is just like regular Linux but it has been hardened with stricter resources controls.  Then, they gave it away, for free.  So, if you have an application were security is important, like a Point of Sales terminal, you can install SELinux.  It is a little more work, but security is worth it.  If somebody were to get an application installed in RAM, as I postulated above, SELinux would detect that and forbid that application from accessing any resources.
  5. Ease of upgrades
    Both Windows and modern distributions of Linux have a mechanism for automatically updating software.  One difference is that when you update your Windows machine, you frequently have to reboot the operating system, sometimes more than once per upgrade.  By way of contrast, with Linux you rarely have to reboot the operating system, and then only once.  One of the consequences of this is that some Linux servers have operated continuously for over three years, and uptime of 700 days or more is fairly common.  No windows administrator in his or her right mind would let a server stay up that long.  Furthermore, Windows has one mechanism for upgrading Microsoft's software and many mechanisms for upgrading the applications.  By way of contrast, since most linux software is open source, the distributions send out updates whenever they happen using the same mechanism for operating system updates.  You decide how frequently you want to check the distributions for updates.
  6. Eat your own dogfood
    Microsoft is a corporation full of very smart people.  Syria is a country which is too stupid to hold free and honest elections - they have a civil war instead.  And yet we have things like this and this.  Now, it is quite possible that the Syrian Electronic Army is actually somebody else (Personally, I think they are a bunch of Yeshivah boys who want to have some kosher fun, and there is nothing in the halacha about hacking into somebody else's computer system).  But it doesn't matter who is behind it - Microsoft seems to have more than their fair share of security problems with their own systems.

Windows is an okay general purpose operating system.  Its success on the desktop cannot be denied.  Of course, the reason why it is successful is because it is successful, not because of any intrinsic technical superiority.  Windows costs more, is less efficient, and Windows denies the users some critical choices.  Linux is free, is very efficient, and has a bewildering number of choices (Sometimes, I think that the vast number of choices is one of the things that holds Linux back).  However, Windows is the de facto standard.  For embedded systems, such as point of sales terminals, it does not make sense to use a general purpose operating system.  It makes sense to use an operating system that is either designed to be an embedded system or else use an operating system specially modified for such a secure application.  People who advocate using a General Purpose operating system, such as Windows, for a sensitive application clearly do not understand the spectrum of design possibilities, and the consequences of their design decisions.

If anybody wants to argue these points, feel free to contact me at jeffsilverman at gmail dot c0m.