In Linux online communities, oftentimes there are debates about which operating is the most secure—Windows or a Linux-based distribution. The debates usually go something like this:
Do I have to worry about security in Linux the way I did in Windows? No, you don’t have to. Linux is much more secure. But isn’t that just because it’s less targeted? If it were as popular as Windows, it would have just as many security problems. No, it wouldn’t. Read this article about how Linux has better security, and don’t forget that Linux servers are huge targets and still more secure than Windows servers.
And it goes on and on. The details of a secure structure, sensible (from a security standpoint) defaults, and frequent patches for exploits are all important parts of security. Ultimately, though, security debates about the structures of the OS are moot when the user does not employ good security practices. It’s a bit like people debating whether kevlar is “more secure” than chainmail armor. Well, what if the attack is through biological warfare rather than a bullet or sword? What if the person you’re trying to secure can be tricked into taking off the kevlar/chainmail? Then it doesn’t really matter which covering is more difficult to penetrate, does it?
And this is also why bringing in servers into desktop security debates doesn’t shed light on whether an increase in user base will lead to more security compromises. Servers tend to be administered by server administrators—professionals whose job it is to constantly battle and prevent online security breaches. On the home desktop (and sometimes even the business workstation), users tend to be less savvy about what to click or not click, what to install or not to install, and when it’s a good idea to type one’s password.
Yes, developers should try to strengthen the security of the OS in terms of structure and defaults. Yes, developers should create patches for newly discovered exploits (buffer overflows, for example). Nevertheless, if the Linux user base does increase to the point where desktop Linux is a significant target for malicious users, and computer users in general remain as uneducated as they are now, then all those security patches will be for naught. Users who can’t discern the difference between a spoofed webpage and a real webpage are the security exploits that can be patched only through education. Users who will give their passwords away to untrustworthy sources are security exploits. Users who will install some “cool” program (yes, in Ubuntu it could be a .deb file you double-click or an added repository) that happens to contain spyware or a rootkit are security exploits.
A larger Linux user base with no better education than computer users as a whole have now is going to be subject to the same social engineering malware attacks that the current larger user base Windows has. No developer-created patch is going to fix that hole.