The weakest link is usually the human. Linux security tries to protect us
from ourselves, but people looking for ease of use often take shortcuts.
There is a trade off between ease of use and security. Absolute security, if
possible, would be at the expsense of the user experience. That is why I
keep mentioning Linux established procedures which may seem onerous to the
newbie coming from a less secure environment, but in the end they work if we
use them as they were intended.
Linus Torvalds who writes the kernel is understandably paranoid about
security. On his own computer he shuts off practically all ports which means
that his computer is virtually locked down from the outside. Since he
collaborates with kernel developers he needs to open ports as needed. It
does not sound like much fun to me. No browsing the internet etc. on that
computer. I am sure that he has more than one. I have heard that he has a
Mac and PC. I don't think that many of us would want to spend our computer
time that way. We want to enjoy all that the internet offers.
Someone recently did a study of passwords and found (by hacking) that many
people use easy to guess and short passwords and they use the same one on
every website. This makes identity theft quite simple and hijacking easy. So
having a password is fine, but we need to make a reasonable effort to foil
intruders and people up to no good.
Linux security is better than other OSes (or it wins the competition every
year against Windows and OS/X), but it is not perfect and we are not
bulletproof when we use it. However, if we follow procedures and work the
way Linux is meant to work then we can relax a bit. We still need to be
smart and act wisely to foil the determined. Most people who want to do harm
go for the low hanging fruit, which is one reason Windows users get burned
more often.
It does not help when Microsoft gives hackers openings as with the recently
discovered zero-day security flaw for which they just sent out an advisory
in order have a workaround (until they can stuff that hole on some future
patch Tuesday). A vulnerabliity was just uncovered in Red Hat and Fedora was
hacked, so Linux is not perfect. Linux flaws are found from time to time,
but not with the same frequency and they are often patched the same day. Red
Hat seems to be the exception to this rule and they take more time than most
distributions, probably for the same reason that Microsoft does. It is a
large company and it does not want to be alarmist to its user base, which is
business that is conservative and easily spooked. It is embarrassing for
these big companies when these things happen, but what is important is how
the company reacts and how quickly.
The collaborative model works hand in hand with the built in security to
protect users. Because the code is open and free it can be examined by a
broader community and vulnerabilities uncovered before it is released and
harm is done. Because the process is transparent it cannot be covered up or
denied, a tactic Apple likes to employ; first deny, then blame the user,
then quietly fix it. At least Microsoft is resonably honest about flaws and
even pays bounties to hackers to find them. They aren't the swiftest to
respond, though, and because it is so big in terms of its user base, delays
have more impact on users and do far more damage than they would in Linux.
The proprietary model used by Microsoft and Apple is more restrictive by
necessity. I am illustrating how users are impacted by both and why the
collaborative model improves security for Linux users. I think the
proprietary model could work if patches were speedier in getting onto users'
computers. I think Microsoft is on the right track, but I am not so sure
about Apple. Users have choice and can choose which model works for them.
Clearly there is little correlation between bugs and successful adoption
because Apple has grown despite having a number of well publicised bugs.
I like Linux security not for any one thing, but the combination that I have
mentioned. The concern that is cross platform is weak passwords, so beware.