Without education, it doesn’t matter which OS is “more secure”

In Linux online communities, oftentimes there are debates about which operating is the most secure—Windows or a Linux-based distribution. The debates usually go something like this:
Do I have to worry about security in Linux the way I did in Windows? No, you don’t have to. Linux is much more secure. But isn’t that just because it’s less targeted? If it were as popular as Windows, it would have just as many security problems. No, it wouldn’t. Read this article about how Linux has better security, and don’t forget that Linux servers are huge targets and still more secure than Windows servers.

And it goes on and on. The details of a secure structure, sensible (from a security standpoint) defaults, and frequent patches for exploits are all important parts of security. Ultimately, though, security debates about the structures of the OS are moot when the user does not employ good security practices. It’s a bit like people debating whether kevlar is “more secure” than chainmail armor. Well, what if the attack is through biological warfare rather than a bullet or sword? What if the person you’re trying to secure can be tricked into taking off the kevlar/chainmail? Then it doesn’t really matter which covering is more difficult to penetrate, does it?

And this is also why bringing in servers into desktop security debates doesn’t shed light on whether an increase in user base will lead to more security compromises. Servers tend to be administered by server administrators—professionals whose job it is to constantly battle and prevent online security breaches. On the home desktop (and sometimes even the business workstation), users tend to be less savvy about what to click or not click, what to install or not to install, and when it’s a good idea to type one’s password.

Yes, developers should try to strengthen the security of the OS in terms of structure and defaults. Yes, developers should create patches for newly discovered exploits (buffer overflows, for example). Nevertheless, if the Linux user base does increase to the point where desktop Linux is a significant target for malicious users, and computer users in general remain as uneducated as they are now, then all those security patches will be for naught. Users who can’t discern the difference between a spoofed webpage and a real webpage are the security exploits that can be patched only through education. Users who will give their passwords away to untrustworthy sources are security exploits. Users who will install some “cool” program (yes, in Ubuntu it could be a .deb file you double-click or an added repository) that happens to contain spyware or a rootkit are security exploits.

A larger Linux user base with no better education than computer users as a whole have now is going to be subject to the same social engineering malware attacks that the current larger user base Windows has. No developer-created patch is going to fix that hole.


  1. Sorry, Dr. Small and Ubuntucat, but that link only gives the following error (has the link been ‘jailed’ or something? )

    you do not have permission to access this page. This could be due to one of several reasons:

    1. Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else’s post, access administrative features or some other privileged system?
    2. If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

  2. I agree 100% and have said so before. The only thing going for Linux in terms of security is a larger savvy user base. Because Linux isn’t presented by default, people who use it tend to have chosen it and know enough about computers to avoid most of the basic pitfalls that real security problems are comming from these days, i.e. phishing, attachment viruses, etc.

  3. I don’t know if I’d go so far as to say the only thing going for Linux in terms of security is the user base. Linux definitely has some other things going for it. My point was mainly that if your user base isn’t security-savvy, all the security the developers so nicely plan out will be easily compromised.

  4. Well, not the only thing, but the only thing in the ways that really matter today. The point of entry for nearly every security risk you see today is bad users. Increased security across the board have rendered network distributed virii largely a non-issue. While there are still probably millions of computers infected, it’s not typically going to be a corporate network or a large enough segment to make it really important like Blaster was.

    In terms of internet security, I’d say today’s issues are:

    1. Phishing – not addressed by any OS, and really not in that realm
    2. Keylogging/data-mining spyware – this isn’t an issue with Linux because the programs aren’t developed there, but if they were, the only difference would be if the user was smart enough not to install it, and people are installing these things becuase they think they want them.
    3. E-mail virii – in theorey Linux has an edge because of the way execution permissions work, but if you’re dumb enough to download it and try to run it, you’re probably dumb enough to give the .deb execution permission

    I would put things like network-distributed virii like worms a very distant fourth, and I honestly don’t know enough about how these operate to confidentlty say any OS has more of an edge than another.

  5. I have thought about Ubuntu including a basic tutorial. Something like one of the ‘people’ that make the Ubuntu ring logo talking to you and telling you basic things about what to do when you first install or you run the LIVE CD. The person could choose to leave it on to let it help you with topics. Sorta like the Microsoft word helper, but less annoying.

    Also, there should be a sticky in the forums telling people what and what not to do, such as not executing ‘su’ or ‘sudo’ all the time.

Leave a comment

Your email address will not be published. Required fields are marked *