Ask Slashdot: Why Not Linux For Security? 627
An anonymous reader writes "In Friday's story about IBM's ban on Cloud storage there was much agreement, such as: 'My company deals with financial services. We are not allowed to access Dropbox either.' So why isn't Linux the first choice for all financial services? I don't know any lawyers, financial advisers, banks, etc., that don't use Windows. I switched to Linux in 2005 — I'm well aware that it's not perfect. But the compromises have been so trivial compared to the complete relief from dealing with Windows security failings. Even if we set aside responsibility and liability, business already do spend a lot of money and time on trying to secure Windows, and cleaning up after it. Linux/Unix should already be a first choice for the business world, yet it's barely even known of. It doesn't make sense. Please discuss; this could use some real insight. And let's at least try to make the flames +5 funny."
Fine, I'll bite (Score:5, Interesting)
Usability (Score:5, Interesting)
If you've got things to do, learning how to operate a Linux system is low on the priorities. If people start finding hiccups because of the differences between Linux and Windows they'll rapidly complain to tech. support, who will soon fold under the pressure of people not being able to meet their commitments due to not understanding their workstations.
Linux isn't the top dog because it's 'more secure' than Windows, it's not the top dog because it's not as well known as Windows. I see more people using Mac in the workplace now, and with the popularity spike in BYOD I would suggest that if Linux were to become more user friendly, Linux would be slowly be adopted anyway.
We should remember that >60% of servers run Linux, versus Windows.
Re:Wonderful Support... (Score:5, Interesting)
Well if you want to spend a lot of money on a well-supported enterprise solution, there's still Solaris. And it's not like there's any shortage of commercially-supported Linux enterprise OSes too.
I understand that it's more important to some people to be able to have someone to scream at from outside the company who is contractually obligated to fix your stuff when it breaks. Microsoft offers that, but a million other companies do too.
I think it more often comes down to the simple fact that Microsoft stuff has more mindshare, and thus an easier learning curve for a greater number of employees. It's the standard because it's the standard because it's the standard.
Re:security is a system, not in a product (Score:2, Interesting)
because the windoes security guys work for free!
Problem is the user, not the OS (Score:5, Interesting)
At least at the level of "business desktop", I believe "user stupidity" is a far bigger threat than "insecure operating system". Yeah, for a ___ server, or firewall, or really any sort of system managed by trained, competent people, the OS or applications may indeed be the bigger risk, but on the desktop? All it means is that instead of attaching bank_of_nigeria__withdrawal_forms.pdf.bat, they'll attach bank_of_nigeria__withdrawal_forms.pdf.pl when running a scam.
Linux is not a magic security bullet - such a thing simply does not exist. No OS is unbreakable. My company found that out ourselves, when we discovered just how completely '0wn3d' a particular clients' Linux servers were - let's just say the guy who configured them is now fleeing the *country* to escape the gross negligence and breach-of-contract lawsuits (when your job description is "keep these servers up-to-date and secure", and they're still running a version of Debian from '02 and participating in Anonymous DDoS attacks, you've failed).
Windows also, I have to admit, has gotten much better at security compared to the 95/98 days, or even the XP SP0 days. Linux still has a security lead, but that lead is now orders of magnitude smaller (especially since Linux, at least for certain distros, seems to be trading security for usability).
Re:Fine, I'll bite (Score:5, Interesting)
Funny, where I work we still use XP which is still the same rotting mess it was 10 years ago, the only difference is that it is wrapped in so much duct tape and so much time, effort and expense has been invested in it that the infosec people treat Linux and OSX as the same steaming pile of shit and it is really hard to break them free of it.
At least for IBM... (Score:5, Interesting)
Home users are basically helpless cattle; but they are also low value targets. If a drive-by download or a trivial trojan can't land some malware, they are safe. If it can, they are helpless.
Your enterprise, on the other hand, likely has the desktops locked down good and hard, firewall and IDS and people paid to care. However, they are a high value target. It is plausible, indeed quite likely, that they are getting actual human attention, from actually competent attackers, customized payloads, possibly even the honor of having one or more zero-days used against them. They are also much more likely to be running complex, web-facing applications, where the security may not rely on the underlying OS that much at all(how many sites have been exploited purely through more-or-less OS agnostic attacks on their CMS?)
In this scenario, it isn't entirely clear how much better Linux is than Windows(and, also, it isn't necessarily the case that the desktop OS matters nearly as much as the competence and vigilance of the chaps watching the network for funny business).
Re:Office (Score:5, Interesting)
Office, plus things like Visio and MS Project. And I don't care how much someone argues, Dia is nowhere near a good a product to date as Visio. And there is nothing in the Linux world that even compares to MS Project. There are some apps with 'project' in the name that might even look a little like MS Project, but nothing that can compete. ERD tools are another thing. Yes there are a bunch that run on Linux, but even a mid to low price Windows offering like Toad Data Modeller is head and shoulders above anything you can find for Linux. And the multitude of financials software out there runs on Windows not Linux.
Software vendors simply don't want to deal with the GPL if it means there is any chance that they will have to give away the code they spent hundreds of thousands, if not millions of dollars to develop. You will find them occasionally making software that will also run on OSX, but again the license there won't force them to give away anything. And I know there is the LGPL, but it still has GPL in the name which rightly scares the vendors. And with the way some of the more rabid FOSS people are, vendors don't want the worry of a v4 of the GPL and/or something that deletes the LGPL, etc. Unless vendors can be guaranteed to make money on their investment they won't write top level code for Linux, and without top level apps, people won't use it... except for programmers who have made tons of decent apps to work on the platform they code entereprise apps for (not the client apps that the bosses use).
Applications (Score:4, Interesting)
People use computers to run applications. The operating system should be chosen to support the applications they need, not the other way around.
Business already has too many problems with Mac fanatics insisting on using Apple products. The main issue is they demand the computer/OS *before* seeing if any of the applications used at the office are supported. Ass backwards.
However, the question in the article was a non-sequitur. The use of cloud services has absolutely nothing to do with operating system of choice. It has to do with losing control of data.
Case in point, IBM didn't say "You can't use Dropbox on Windows", they said "You can't use Dropbox". Yes, there is a Linux client for Dropbox.
Re:Wonderful Support... (Score:2, Interesting)
If you think that Solaris is "well supported", you must spend at least half a million a year on it, since Oracle won't even look at anyone who asks about spending less than that on Solaris/Sun hardware these days. Hell, I'd probably get better support running Debian/Sparc than I would trying to get support from Oracle for Solaris...
Re:been done before (Score:5, Interesting)
> corporate types want somebody to blame when things go pear-shaped
I think that's part of it, but an even bigger part is just sheer inertia. Budgets are tight, the economy is still struggling, and even though Windows costs a little more, a lot of PHB's figure they'll just hire people who know how to use Office and Outlook and be done with it.
BUT ... and here's the real reason I popped in here; I've been dying to say this for some time now. :)
I think this is changing. Our own company, as recently as three years ago, was still buying standard laptops with Windows and Office pre-installed. We are now migrating over to iPads and Android tablets. The privacy issues concern us somewhat, but I think this is going to increase in the future. People are willing to learn new "apps" to replace what they used under Windows, too.
I think Microsoft had better be very, very worried about this trend. Years ago, most people who bought computers demanded Windows on it. Nowadays, people buying pads and tablets and they are perfectly willing to use something other than Windows. Most significantly, when someone introduces a smart phone or tablet with Windows on it, the marketplace is saying, "ho, hum."
Especially among younger users, Windows is viewed as, "like, SO 1990." :)
Re:Fine, I'll bite (Score:5, Interesting)
This is the part where I suggest you read this interview with a guy who wrote malware: http://philosecurity.org/2009/01/12/interview-with-an-adware-author [philosecurity.org]
The majority of malware is written for Windows for two, simultaneous reasons: most people run Windows, and it's an easy target. It's both at the same time.
Running some form of GNU/Linux distro doesn't magically absolve you from security issues, but it's a decent first step.
Re:Because ... (Score:5, Interesting)
My NEARLY COMPUTER ILLITERATE next door neighbour (has trouble remembering how to copy files and use email attachments) who is 75 years old (a retired air force mechanic) who has used MS OS's for over 20 years (I helped him upgrade from DOS and a batch launcher script to Windows), now uses Ubuntu. It took him exactly ONE day with NO ASSISTANCE to learn the UI, and feel at home. Why?! Because he hated Vista, and after he held out for Windows7, and hated it as well, I said: "Before we install an OS that will be unsupported soon (XP), give Linux a try, it's free, so what do we have to lose?" -- Note: He has NEVER had to do anything with the command line, and he was AMAZED at how simple the installer was: "How are we're already running it from just the CD? ... How can this be free? ... Why doesn't Windows have this?" (well, now they do, sort of, but that's beside the point).
I've had people with ZERO experience with Linux borrow my Laptop (running Linux), and get around just fine, waiving me off when I offer assistance... even write a resume using Libre Office, and check out my music collection... I don't want to disrespect my friends, but these are the kind of people who have 37 windows "I'm an AV" viruses and don't know how to burn CDs or run Defrag -- You are deranged, a shill, or just down right mentally retarded if you can't use the OS.
Re:Wonderful Support... (Score:5, Interesting)
It is about getting staff to support your business, and the software you need.
If you have a Linux shop, you need to find people with Linux experience to keep your company going. These people with Linux experience also know Windows. However you need to find people who know Linux well enough as there is a gap in skills between very basic user, and administrator. For windows you can hire most any tech at any price range you need. You need a $10.00 per hour kid to make sure the disk doesn't get too full and install software, you can find some one. You need a $50.00 per hour skilled admin who will operates complex networks and mass storage you can find them too.
Next is software. You don't work in a vacuume your software will need to work with vendors and customers. That software you need for your business might have a Linux port, but there is always a windows version. You call for support you say Linux they say sorry you are on your one.
The issue of hardware. Your Linux experience is based on the hardware you get. Get the wrong hardware it runs like crap, get the right hardware, Linux runs like a champ. Companies like Dell that sells systems preloaded with Linux are risky because the don't really give you a good compatible system. You need to spec out each component. Windows has the drivers and they work. Thus getting a Windows system much more reliable.
Often the cost of a system with or without a windows license is verry small, get the license you can always go to Linux in the future. When you are in the future, you have a windows infrastructure that is too costly to change.
Re:Fine, I'll bite (Score:4, Interesting)
Not just that. Look at the number of iOS malware, vs Android malware. If iOS is as popular as people seem to think, shouldn't it have a proportionate number of malware compared with the number of Androids?
Re:Wonderful Support... (Score:5, Interesting)
After 17 years as a IT engineer/architect working for Fortune 500 companies, I'm calling BS on this one. It's simply not true. Microsoft does offer bigger discounts as you purchase more of their product licenses. That is far different though than giving discounts if there is no other vendor's product in your environment.
Re:Wonderful Support... (Score:5, Interesting)
Yes, very good bait and it'll be well received thanks to all the anti-MS sentiment here, but, umm, care to back that up with some evidence? I've also worked for some Fortune 500 companies. More to the point I've worked at smaller companies that nonetheless had enormous pull with Microsoft due to what they did (critical infrastructure). At one of those companies I was responsible for a couple of years for working with Microsoft on the licensing true-ups.
I can't even think of a company of that kind of size that wouldn't use a competitor's product in some way. They'd laugh if Microsoft said get rid of Linux or Oracle or whatever, because they couldn't continue doing business. Volume discounts, of course, nothing wrong with that. But banning a company of the size of a Fortune 500 company from using someone else's software?
I once was working with our MS reps on our support contract details and they described what happened in the case of certain types of "system down" calls. At some point it starts copying the status e-mails into Steve Ballmer's inbox. No-one is naive enough to think he's going to pick up the phone, but it sure as hell impresses upon the execs that Microsoft understands how crucial their business really is.
If I had a system down and I escalated it to a high enough severity, even before it got to Ballmer's inbox I'd get a phone call from my technical account manager after a set number of hours asking me if I wanted an emergency response engineer on site. If I said yes, they would go to a pool of the absolute top talent and get whoever was available to my site as quickly as possible. Several hours away? Next flight. Not quick enough? Microsoft would charter a helicopter just to get their expert to me so my system could get up and running. Remember, this was for a very definitely NON-Fortune 500 company.
Their support escalation procedure is world class. They have a rigorous workflow, with extremely well defined escalation times, conditions, and requirements for the Microsoft TAM to fulfill. I've seen it in action. It's surgical. What I've described above doesn't cost millions. It cost that companymore to get support for their RedHat licenses, and that didn't include specialist engineers being flown in by private helicopter if necessary.
That kind of dedication wins out. I've seen Oracle gurus be absolutely stunned by the response to a SQL Server emergency ticket. They have wished out loud they could get that response for an Oracle problem. So has upper management. The company I have in mind runs all their really heavy stuff on Oracle/AIX. They won't consider SQL Server for the truly critical databases. But I have heard them tell Oracle they need to get their act together and be more like Microsoft when there's a top line problem.
That's why Microsoft. Because even the people who complain their stuff is flaky still wish all the other companies had emergency response technical teams that were half as good as Microsoft at getting systems back up and running.
Re:Fine, I'll bite (Score:2, Interesting)
So, I'd say you are probably a Linux administrator, and not a windows one. Windows also have logging facilities, and a pretty complete statistics monitor to help you diagnose/troubleshoot problems (and probably can gather metrics with far more detail than you would on a Linux system). That said, there are some issues an lot of badly designed software out there. But unfortunely (sic), that's not Windows-specific.
I'm a Windows administrator. Card-carrying Microsoft-Certified Geek Extraordinaire, as a matter of fact. For several years, I was the Network/Systems Admin for every other municipality from New Orleans to San Antonio. I also administer some Linux Systems.
Unfortunately, rev0lt, you haven't got a clue what you're talking about. Linux logging facilities give you specific, text-based error messages indicating what the problem is and when/where it occurred without needing to look up some esoteric (and numeric) error code on Microsoft's web site to even guess what the problem might be related to. To restate that concept: Linux error messages tend to be something intelligible without requiring internet access; Microsoft error "messages" tend to be strings of numbers that mean absolutely nothing without digging through support websites.
As an aside, I have never had a Linux system give me an error that included the text "The operation completed successfully" [google.com]. I'll leave that google search for you to laugh at.
Re:Wonderful Support... (Score:5, Interesting)
Yeah, that kind of caught my eye too. I have had the odd F500 company as a client and they have definitely had open source software running. I would be very surprised if the assertion were true.
However, I have worked with Microsoft partners and have been told that they were obliged by contract not to run software with the GPL license. I was never able to verify if it was actually true, but at 2 of the places I worked with, I was told that. Very different kettle of fish, and it was quite a long time ago. Even if it were true at that time, I doubt that such a thing exists any longer.
Re:Wonderful Support... (Score:4, Interesting)
I'll echo this sentiment with my personal anecdote:
Working for a large Canadian telecom, preparing to launch a new service, I was reviewing the infrastructure at the behest of my manager after a sysadmin had moved into another role. I discovered, with no more than 2 weeks until this high profile service was to launch, that our clustered SQL instance would behave fine while sitting there or under minimal testing load, but as soon as you piled it on, the system would outright fall over.
Long story short, this led to a 36 hour phone call with Microsoft where I was escalated to SQL engineers and Windows engineers who in turn managed to pull strings at HP to get driver engineers on the phone leading to the discovery that the HBA drivers for our servers were crapping out under said load.
I'm a proponent of Linux, I use it where appropriate, I get support from RedHat on stuff that I need support on, and I generally loathe the generic issues that come along with running Windows. That said, when it comes to "Somebody is going to lose their job if I don't get this fixed" there are few organizations I'd rather have backing me up than Microsoft.
Re:Fine, I'll bite (Score:5, Interesting)
Do a lot of on-line banking on your Android phone, do you? Or have a nice, high bandwidth connection you could saturate to support a DDoS attack on someone who didn't pay their protection money? Or store any juicy company data that could be handy for not-quite-insider trading?
As ozmanjsri said, yes to all these things. My 4g connection is definitely faster than my home broadband.
There have been security vulnerabilities found in just about every major piece of networking/server software on Linux. There is no doubt about this, because most of those packages are open source, and the fixes are a matter of public record. If there was money in writing Linux malware, there have been plenty of weaknesses to exploit, just like on Windows (or any other major platform).
There have been security vulnerabilities found in every piece of networking/server software, Period. The trick is that on Windows, even Microsoft is often not notified of these for months after their discovery by the black hats, and it has been sometimes two years for a fix. You as a consumer may NEVER know about them.
But serious malware today isn't written by script kiddies any more. It's essentially organised crime, and it follows the money. If you think that wouldn't lead it right to Linux if that became the dominant desktop OS, or that being primarily open source makes the Linux ecosystem magically immune to the kinds of security bugs that make it into code written by highly skilled and experienced professionals working for the best funded software companies in the world, then I've got a few friends in Nigeria who would like your help with some financial transactions.
the U.S. Army is “the” single largest install base for Red Hat Linux. Industrial Commercial Bank of China runs Linux at all 20,000 of its locations. The Chicago Mercantile Exchange employs an all-Linux computing infrastructure and has used it to process over a quadrillion dollars worth of financial transactions. No money in Linux malware? Pshaw.
But no, Linux doesn't make you magically immune. It simply has a more mature and advanced security model, better tools for detecting and stopping intrusions, and the ability for a motivated firm to make any security modifications needed on their own schedule.
Comment removed (Score:4, Interesting)