Ask Slashdot: Why Not Linux For Security? 627
An anonymous reader writes "In Friday's story about IBM's ban on Cloud storage there was much agreement, such as: 'My company deals with financial services. We are not allowed to access Dropbox either.' So why isn't Linux the first choice for all financial services? I don't know any lawyers, financial advisers, banks, etc., that don't use Windows. I switched to Linux in 2005 — I'm well aware that it's not perfect. But the compromises have been so trivial compared to the complete relief from dealing with Windows security failings. Even if we set aside responsibility and liability, business already do spend a lot of money and time on trying to secure Windows, and cleaning up after it. Linux/Unix should already be a first choice for the business world, yet it's barely even known of. It doesn't make sense. Please discuss; this could use some real insight. And let's at least try to make the flames +5 funny."
Re:Fine, I'll bite (Score:5, Informative)
Additionally, Linux distribution security generally isn't much better than modern Windows.
Marketing efforts aside, reality disagrees.
The share of Windows malware increased to 99.6%. Classic Windows program files dropped 0.3% proportionately, but the increase in .NET programs compensated for this
loss.
In the first half of 2011, the lion share of malware was once again written for Windows systems.
Only one in two hundred and fifty malware programs is not a Windows program file. The proportion of classic Windows program files (Win32) continues to drop. However, .NET programs (MSIL) compensate for this loss of 0.3% and the overall share of Windows malware programs is on the rise.
1 Win32 1.218.138 97,8 %
2 MSIL 21.736 1,7 %
3 WebScripts 3.123 0,3 %
4 Scripts 832 0,1 %
5 Mobile 803 0,1 %
6 Java 313
7 *ix 233
8 NSIS 131
http://www.gdatasoftware.co.uk/uploads/media/G_Data_MalwareReport_H1_2011_EN.pdf [gdatasoftware.co.uk]
Note that the 6% of Apple Macs infested are included in that "*ix 233" figure.
As for the Lawyers . . . (Score:2, Informative)
I can't speak for the financial advisors and banks, but for the lawyers, it is inertia. In 2000, when I graduated from law school, the firm I worked at still used Word Perfect 5.1 on Windows 97. They were convinced in 2001, to upgrade to Windows 2000. Even then they ran Word Perfect in a DOS box. They kept this for two reasons. The first was they didn't want to retrain their legal secretaries. Document formatting is very important and intensive in legal briefs, so you need to know the word processor in much greater detail than to write a term paper. The second reason is that they had purchased a customized version of Word Perfect that integrated with the accounting software the firm used. This was not easily duplicated. When they finally did upgrade to Word, they had to buy a whole new accounting package, and the conversion process, including training, took months.
I suspect that what keeps law firms, and most other professionals, from making a switch to Linux is the desire to avoid the unknown and the learning that goes with it. That is bolstered by the fact that every industry has some killer app that just doesn't exist on Linux.
Re:security is a system, not in a product (Score:2, Informative)
Bullshit, do you have anything to back that up with? Appliances to monitor traffic are not just a Linux thing, if you care about it that much, you'll want them for a Windows only network as well. As for firewalls, if you're at all competent, you should be able to set one up for Linux without any particular trouble, for free. Set up the rules once and you probably don't have to fiddle with them again.
And no, people don't work for free, so I'm curious why you're only counting that when it comes to Linux, I doubt very much that Windows Admins work for free.
Re:Wonderful Support... (Score:5, Informative)
The thing people like a lot of the times is that microsoft offers support, they have it stuck in their head that if you spend money on it, it must be better than a free alternative.
I've worked for several Fortune 500 companies. Support has nothing to do with the decision: Exclusionary contracts do. Microsoft offers huge discounts to businesses that agree not to use a competitor's product. They also regularily check for compliance and there are large fines for any company caught using open source software. Management often parrots what Microsoft says to tell the tech workers who question the policy, but if you ask the right people the right questions, you'll find out the company you're working for entered into an exclusive contract with Microsoft, and that was one of the conditions.
Dropbox is issue, not just Windows (Score:4, Informative)
The problem with Dropbox isn't just that it exposes Windows insecurities, it's also that it makes it easy to export lots of stuff out of your company, potentially with wimpy passwords, to a storage system which your company doesn't have any control over - Dropbox doesn't even have to tell your company if they've gotten a subpoena or "friendly" FBI request for the material, and with no contract, there's no way to specify data retention limits.
At $DAYJOB, we've got a Dropbox-like service (at least the "upload/download from browser" part of it, not the "glom onto everything" part), because it's useful to have something like that. It goes to our own storage, and has encryption we've got control over, and it keeps the employees from needing to find other ways around the firewall's block on Dropbox uploads.
Re:Because Security is not a priority for Linux (Score:5, Informative)
They do use Linux. (Score:5, Informative)
I've worked for some of the largest banks in the world, and:
1.) They use craploads of Linux.
2.) They're going to stop using Windows.
3.) They'll never use dropbox.
Detail:
1.) They use craploads of Linux.
Just about every bank has declared Linux to be the future for application services, with a few exceptions for specific applications. Accounting will stay mainframe for a very long time, Collaboration will remain MSExchange for a very long time, Sharepoint probably as well, and rinky-dink one-off applications may still run only on Windows servers, but only if those apps come from software shops built by math/business/commerce geeks (algo stuff, etc.). Most databases, report generation, records keeping, document management, webbanking backends, and other banking stuff will continue their current trend of UNIX-to-Linux. Some banks are 20% along their UNIX-to-Linux projects, some are at 80%, but I don't know any that aren't on that road.
I think you were talking about desktops, though, not the datacenters and server farms. That's a very superficial way to look at banking computing. Banks do not use Windows machines to do banking, they use Windows machines as desktops for running Exchange, and Office, and banks are thrilled that they can *also* use those same pieces of hardware as dumbterms for people to SSH/Telnet to some banking applications and also access the newer applications through the browser. But, if it wasn't for Exchange and Office, they wouldn't use Windows, they'd use Linux thin clients. I actually know one bank that's trying to migrate people to Google Apps for just this reason, but it's really hard, because bankers really do love office/exchange.
2.) They're going to stop using Windows.
But they're not going to go to Linux. The banks are all calling it "BYOD" for "Bring Your Own Device." Bankers really, really, really want to use Mac desktops and iPads and Android phones and ditch Windows -- but there's no way they'll switch to Linux on the desktop unless that Linux is called Android. So, the banks are currently running well-funded projects to replace all their Windows-desktop-only applications with web-based apps that'll work from any browser, and also throwing lots of money at companies like Good Technology to be able to get iPads and Android Tablets in to the workplace.
Microsoft is trying to use Office360 or WTF it's called so that they can still sell stuff to banks that have ditched Windows on the desktop, but there's going to be lots of turmoil over the next 5-10 years as that progresses. Windows on the desktop in banks is effectively dead already -- I know 3 banks that have decided to stick with XP on the desktop instead of upgrading to Win7 because the Win7 upgrade costs are better spent in moving faster to this better future.
3.) They'll never use dropbox.
Banks are required to log everything, and logging everything you upload to dropbox and everyone that downloads it and all of that crap is so expensive that you should find out what the approved tools are for doing what you want to do. Most banks will allow SFTP/SCP between trusted endpoints if the right people sign the right forms. In my experience, dropbox is only ever requested in banks by someone that wants to break the law and is too stupid to know what law they'd be breaking.
Dropbox blocking is not something IT decided to do, it's something the lawyers required IT to do, and it has nothing to do with "security" in the way that there are "security" differences between operating systems. It has to do with the kind of security you have in the lobby that would ask questions if you started walking out the door with canvas bags that have dollar signs on them. If the banks allowed dropbox, naughty employees would copy documents to home that their daytrader spouses would use for insider trading (seen that more than once).
Re:Fine, I'll bite (Score:4, Informative)
Re:Fine, I'll bite (Score:5, Informative)
Do a lot of on-line banking on your Android phone, do you?
Yes, my bank provides an app to do that.
Or have a nice, high bandwidth connection you could saturate to support a DDoS attack on someone who didn't pay their protection money?
Yes, wifi, same as my laptop.
Or store any juicy company data that could be handy for not-quite-insider trading?
Yes, my company has a BYOD policy.
Re:Fine, I'll bite (Score:5, Informative)
it's remote exploits of one of the services that are installed, by default, to be accessible from the Internet.
Why worry about defaults?
If you're choosing Linux for security, you can already choose one of the security-enhanced distros like SELinux (if you trust the NSA) or Ubuntu Privacy Remix https://www.privacy-cd.org/ [privacy-cd.org], or LPS http://www.spi.dod.mil/lipose.htm [dod.mil], or Fortress Linux http://www.fortresslinux.org/ [fortresslinux.org] etc etc etc. Or just roll your own with your favorite distro and GRSec installed http://grsecurity.net/ [grsecurity.net].
All of these are a (free) download away. It's not like it's difficult to secure Linux if you choose to.
That's why all this bullshit about Linux being as insecure as Windows, but less popular is just FUD. If Linux IS ever threatened the same way, the FOSS community is ready and has the tools to respond. Linux users won't have to wait for a vendor to reluctantly spend the money to ramp up a security team. They'll just benefit when it's needed.
Re:Linux isn't more secure (Score:4, Informative)
Linux is really more secure. Here's why.
You as a normal windows user by default have sufficient rights to modify or delete files in the OS.
Not true in Linux.
When you install an application in windows it ususaly drops files all over everywhere, adds stuff the the registry etc. so ususally extends the operating system itself. There is no partitioning.
Again, not true in Linux.
Re:Wonderful Support... (Score:4, Informative)
I think I know the contracts you're talking about.
They're not exclusionary in the way you describe, but IIRC one of the cheaper volume licensing schemes does include language to the effect of: "Count **every PC you own that is capable of running this software**, that's how many licenses you need to purchase if you want to use this cheap licensing scheme".
Suddenly the cost savings from F/OSS software - on the desktop at least - are dead in the water.