"Why Windows is a security nightmare". This article claims that Windows' vulnerability comes from: 1. Application churn (installing and uninstalling apps or app components); which causes 2. Registry rot; which makes the user perform a 3. Clean but unpatched install (such as from disk), which leaves the user exposed to viruses until they can re-apply all their patches. A rather flakey premise, given that it basically means that Windows systems are only really vulnerable in the time period between system installation and patch application; Linux systems are vulnerable during this window as well. As for application churn and registry rot, a desktop Linux system will have the user installing and uninstalling stupid small applications and demos 'n stuff just as often as today's Windows users do. And if you think the Windows registry is prone to rot, take a look in your own /etc, /opt, and /var directories sometime, especially after apt-getting or yumming a few dozen useless packages.
"Why Linux Is More Secure Than Windows". This article enumerates several reasons why Linux is more robust against remote exploits than Windows. These reasons are generally legitimate (modularity, better consideration of third-party patch application, etc.). If the primary route of entry of most attacks today was remote exploitation, this article would be relevant. Unfortunately, the article ends with the reminder:
A knowledgeable user can use a Windows 98 safely, an ignorant user may even compromise OpenBSD based systems.And therein lies the rub. The spread of desktop Linux involves the spread of ever more increasingly powerful and "automatic" Linux applications to a largely naive user base. These users will be exploited just as badly as Windows users are today, and in the same ways; Linux's systemic security protections will do nothing to save them, because that's not how the attacks will come.
"Linux Vs. Windows Viruses". This article, dated 2003, argues that, while both Windows and Linux are of course vulnerable to social engineering attacks, Windows makes it much easier for social engineering attacks to be effective:
Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable.The reason that a Linux user has to go through so many more steps is precisely because Windows, as a desktop operating system, makes more behaviors automatic for the user. In the time since 2003, Windows has gotten less automatic (it no longer auto-launches executables), and Linux has gotten more so. The famous article, How To Write a Linux Virus In 5 Easy Steps", shows how to exploit an automatic program launcher in Gnome/KDE. Why does Gnome have launchers in the first place? To make their Linux system more palatable to the common user as a desktop environment!
"The Structural Failures of Windows". This article gives us a long, long history lesson about Windows. Ironically, it never tells us what exactly is structurally wrong with Windows. Instead, it tells us what has been wrong with Windows historically, and tells us what Microsoft has done in order to fix it. As far as an argument for desktop Linux goes, this article is about as relevant as a security-vs-usability comparison between Windows 3.1 and the Yggdrassil distro. It does, however, paint an overall picture of Microsoft as a company that continuously tries to create more secure and more feature-rich systems while simultaneously striving to retain compatibility with the vast third-party hardware and application base on which its users depend; overall, this article tries to be anti-Microsoft but the "supporting" evidence undermines its own thesis.
"Linux Security: A Big Edge Over Windows". This article, in short, says that it's easier to lock down a Linux system than to lock down a Windows one. This is probably true - if you want to lock it down. Of course, for most users this means no more filesharing apps or YouTube videos, which defeats the purpose of having a computer at all.
James Bottomley, Linux expert and chief technology officer of SteelEye Technology told LinuxInsider. "But just like in your own home, if you leave a door open, you are going to get robbed sooner or later. The way to keep the door closed in Linux is to set policies correctly." ... With most Linux distributions, this is often hard to get right if there is no IT support, cautioned Bottomley.The thesis of the article is that Linux makes it easier for the user to take security into their own hands. This is not what the desktop user wants.
You present a number of historical arguments about why Linux has been more secure than Windows, and present-day arguments about why Linux today is more secure than Windows. Both of these arguments include, in part, the fact that, compared to Windows, Linux, both historically and presently, has a base of users that are both more technically competent and more willing to take it upon themselves to ensure the security of their systems - part of which involves being willing to forego certain features and automatic behaviors.
Evolving Linux into a desktop system will belie this premise. In order to claim that desktop Linux will be more intrinsically secure than Windows, you effectively have to prove that it will protect users from running "bad" code while keeping them fully empowered to run all the "good" code they want, even when the users themselves can't tell the difference. None of these articles prove any such thing, because such a system cannot exist.
No. Try again. Historically, Unix has been more secure than Windows because Windows design has emphasized ease-of-use and system performance over security. That Linux can be made even MORE secure due to the ability of technically savvy users has nothing to do with that basic concept. Windows privilege escalations remain ludicrously simple to this day. Microsoft shows no inclinations to rip out the rotten guts and replace it so it will continue to remain a security cesspit until they decide to do so.
Evolving Linux into a desktop system will belie this premise. In order to claim that desktop Linux will be more intrinsically secure than Windows, you effectively have to prove that it will protect users from running "bad" code while keeping them fully empowered to run all the "good" code they want, even when the users themselves can't tell the difference. None of these articles prove any such thing, because such a system cannot exist.
Too bad your entire premise is wrong. Linux needn't be "evolved" into a desktop operating system. Linux is already a desktop operating system. There is no functional difference between a Linux server serving up Apache requests and a Linux desktop used to browse the web. They run the same kernel, the same userland systems and the same libraries. The only difference is that a Linux desktop starts less software on bootup.
I also note that while your ramblings are long on wind, they are markedly short of something else. Data.
While your posts exude many claims, most of them are wrong. Let me describe a couple:
As for application churn and registry rot, a desktop Linux system will have the user installing and uninstalling stupid small applications and demos 'n stuff just as often as today's Windows users do.
Factually incorrect. Linux systems do not use a registry. Uninstalled software on a Linux system is GONE and leaves no mess behind. Whether using the command line or apt, both contain options to purge all files. There is no such thing (and there cannot be) in Windows.
Instead, it tells us what has been wrong with Windows historically, and tells us what Microsoft has done in order to fix it.
Except that time and again, Microsoft says that they've "fixed" it, yet get exploited again and again through the same design flaw.
The Shatter Attack is the most prominent of Windows design flaws. And while Microsoft patches vectors into the design, they have yet to patch the actual flaw. The Shatter Attack has been debated on almost every security site out there.
And it doesn't seem to be getting any better. For instance:
...shows that rampant structural problems continue to exist in Windows Vista and Microsoft continues to deny that the problem exists...until the next exploit. Which they patch and claim once again that all is well.
Recently a security expert (pay attention, this is what one looks like) wrote this paper outlining the flaws in the Win32 API and Microsoft's response.
Rather than actually fixing the problem...
"When Microsoft saw a copy of this paper, they sent me a response stating clearly that they are aware of these attacks, and they do not class them as vulnerabilities...
I agree completely that in both of these scenarios, 0wning the machine is pretty easy. However, they've missed the point. These are techniques that an attacker can use to escalate their privileges. If they can get guest-level access to a machine, these attacks allow you to get localsystem privileges from any user account."
So once again, rather than fix the actual problem, Microsoft just refuses to acknowledge that the problem exists. Nice.
In the interim we wait breathlessly for your published paper on Windows security.
Until then, readers can rely on dozens of security organizations and professional publications such as SANS, eWeek, Security Focus, The Inquirer, The Register, Linux Insider and CERT or they can rely on you.