Common myths and misunderstandings about Linux security

1. Linux is insecure because it is a free operating system


The Linux community has an excellent reputation for providing fast support and fixes for security holes when they have occurred, primarily because there are a large number of well-informed people around the world who can provide input into any potential security problem and patches can be quickly released for the Linux community to test without having to deal with the cumbersome administration that the major Unix vendors have.

Recent experiences with bugs such as the 'ping of death' and teardrop TCP/IP attacks have shown that Linux had patches released within hours of the security hole being publicly announced (usually via bugtraq). Microsoft and the major Unix vendors took up to several weeks or months to release patches to their operating systems.

A recent write-up in Wired looked at the open development of Linux and FreeBSD and how that assisted the rapid release of fixes for the bonk hole.

The open nature of the Linux source code has meant that the Linux community has been able to audit and plug many potential security problems in advance.

The security advantages of Linux as a free operating system include:

  1. Complete open source code for the kernel and utilities - there is no 'security by obscurity'

  2. A large, active developer base ensures constant auditing of the source code for potential security problems

  3. The massive world-wide user base for Linux ensures that each aspect of Linux's security is tested in a vast range of different computing environments on all sorts of hardware, making Linux one of the most stable and secure operating systems available

  4. The on-going development of Linux ensures that it stays on the cutting edge of many Unix security developments

2. Linux is insecure because there is no toll-free support number


Linux has excellent support for a variety of sources, including USENET, user groups like LUV, commercial resellers of Linux (eg. Caldera and Redhat) and consultants, and you can now obtain phone support for Linux from a number of sources.

Have you tried getting phone support from Microsoft recently?

3. Sendmail is a big security risk - you should be using FooBarMail


sendmail - love it or hate it (probably hate it) - it is the most widely used MTA (mail transfer agent) in the world today, and has been for over a decade.

It is big, it is complex and highly configurable, meaning that a wealth of security holes have been discovered over the years, leading to a bad reputation in some circles.

It certainly seems to be secure these days - there has not been a major hole found in it for at least three weeks, but you may want to consider one of the alternatives, such as smail or qmail, which is gaining a reputation as an highly secure, free MTA (but lumbered with a restrictive distribution licence).

4. A Linux system can be infected by a virus

Technically, yes.

A program called bliss has demonstrated enough properties to be classified as a virus, and runs under Linux. It does require the root user in order to infect any system binaries.

5. Linux can be infected by DOS viruses (virii?) if you run Samba


While it is possible to have DOS viruses inside a DOSEMU window, Linux does not execute DOS or Windows programs, removing the risk of infecting your Linux system.

6. My distribution is more secure than your distribution

Possibly true :)

One of the strengths and also one of the weaknesses of Linux is the myriad of distributions that exist for it, with at least five major distributions at the moment (Debian, Redhat, Caldera, SuSe and Slackware). This means that different Linux distributions ship with varying levels of security and have different levels of committment to keeping their customers up to date with security information, patches and upgrades.

Both Redhat and Debian have demonstrated a very strong committment to both shipping a secure product and rapidly releasing security upgrades whenever appropriate (to the point where they shame every other major Unix vendor).

The committment of some other distributions has been somewhat less impressive.

7. My operating system is more secure than Linux

Possibly true - what's your operating system?

If you want to compare security ratings, Linux does not have a C2 security rating. This means that there are more secure computer operating systems available than Linux. However, they are normally designed for high security environments (such as banking) and cost squillions.

Based on the number of Bugtraq reports over the last two years, Linux has matured into one of the most secure Unix flavours, and is certainly more secure than HP/UX or Irix.

8. Windows NT is more secure than Linux because it has a C2 rating


Windows NT has a C2 security rating, but only when it is not networked. Very useful.

It has been argued that a non-networked Linux system could achieve a C2 rating if someone forked out the $$$ for the validation tests.

Prev | Home | Next