Linux Is Not As Safe As You Think

BrianFagioli writes via BetaNews: Would you be surprised if I told you that threat methods for Linux increased an astonishing 300 percent in 2016, while Microsoft's operating systems saw a decrease? Well, according to a new report, that is true. Does this mean Linux is unsafe? No way, Jose! There are some important takeaways here. Microsoft's Windows operating systems are still the most targeted platforms despite the year over year decline -- far beyond Linux. Also, just because there is an increase in malware attack methods doesn't necessarily mean that more systems will be infected. Let us not forget that it is easier to find a vulnerability with open source too; Microsoft largely uses closed source code. "At the end of November, criminals with other variants of the same Linux malware unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were taken down. In October, the Mirai code appeared freely available on the Internet. Since then, the AV-TEST systems have been investigating an increasing number of samples with spikes at the end of October, November and beginning of December," says AV Test of the Mirai malware. "Other Linux malware, such as the Tsunami backdoor, has been causing trouble for several years now and can be easily modified for attacks against IoT devices. The detection systems of AV-TEST first detected the Tsunami malicious code in the year 2003. Although, at that time, practically no IoT devices existed, the Linux backdoor already offered attack functions which even today would be suitable for virtually unprotected attacks on routers: In this manner, Tsunami can download additional malicious code onto infected devices and thus make devices remote controllable for criminals. But the old malware can also be used for DDoS attacks. The Darlloz worm, known since 2013, as well as many other Linux and Unix malware programs, have similar attack patterns which AV-TEST has been detecting and analyzing for years."

Ponderosa Puff

[Spy Handler]

didn't take no guff
water ought to be clean and free
so he fought the fight and he set things right
with his openBSD

Re: Ponderosa Puff

[dougdonovan]

linux is only as safe as you make it. besides, it beats the hell out of windows.

Re:

[fisted]

You keep assuming that the author of the unit file has to be the administrator of the server that is to be owned.

Hint: You're mistaken.

Re:

[gumbi west]

Windows fit for the desktop? What a joke.

Every time I open my windows laptop at home it has a panic attack about the missing network drives. it's like, seriously Windows, VPN isn't new, just calm down and help me setup the connection and toss some ice in your underwear until then. Because of this foobar it also thinks I haven't saved any of my open documents.

Also, after a reboot, Mac OS has been recovering to having all of the applications in the same state I was in for over a decade. Why can't Windows do t

Re:

[gumbi west]

I know I'm feeding the trolls here but it's not a popup. It's a long freeze, a popup, and every MS program starts flashing in the dock and needs me to click on it an agree that it lost it's connection to every open document.

Re:

[ProzacPatient]

Burma Shave!

Re:

[ma1wrbu5tr]

Am I the only one that thought this was a Primus song?

Re:

[Big Hairy Ian]

Linux has always been vulnerable. If Linux for desktop ever takes off it will get PAWNED left right and center. At the moment though very few people are targeting it.

Re:

[tlhIngan]

Linux has always been vulnerable. If Linux for desktop ever takes off it will get PAWNED left right and center. At the moment though very few people are targeting it.

Linux right now is getting pwned. Or rather, Linux servers running vulnerable applications.

You don't hear much about them because they're Linux servers, and the vulnerable application is usually named instead of Linux, like WordPress, for example.

Of course, the goal is not to infect other Linux servers, but to infect websites hosted by Linux so

Re: Ponderosa Puff

[KGIII]

Invariably?

Re:

[Negatif]

here's a clue
https://www.openbsd.org/lyrics... [openbsd.org]

BREAKING!!

[FrankHaynes]

slashdot is not as safe as you think!!

Tsunami backdoor

[Dunbal]

Of course is it really the fault of the operating system when the PUBLISHER'S WEBSITE is hacked and contaminated distros have to be downloaded for it to work?

Re:

[Anonymous Coward]

Well yeah, of course it's that open sores stolen software's fault. If you bought it on a CD like any God-fearing capitalist, you'd have been safe, but no, you went and downloaded it without paying for it like some sort of Satan-loving communist.

Re:

[unixisc]

How does Open Source reveal to you whether something is stolen? The thief could well have changed the attributions & credits in the code

Re:

[jimtheowl]

It does not magically reveal itself. Nothing does. But readable text is easy to compare, even to the human eye.
If I were to read code I wrote or supported, I would likely recognize it.

You could even consider using a computer.

https://en.wikipedia.org/wiki/... [wikipedia.org]

http://www.drdobbs.com/archite... [drdobbs.com]

https://academia.stackexchange... [stackexchange.com]

...

Percentage change

[DavidJSimpson]

Baby Timmy grew 300% but Uncle Bob shrunk 5%. Who is bigger?

Re:

[Swave An deBwoner]

And Bob's your uncle?

Re:

[hagnat]

this is why i hate statistics comparison. When you say "this country grew 50% while this other only grew 1%" can mean a lot of difference. If the first country is Sealand, that means a baby was born, while if it was china, that would mean 14 million

Fuchs ache!

[Epsillon]

This isn't a "Linux problem," it's a "proprietary vendors using Linux and not passing on patches in a timely manner because money problem."
Linux is exactly as safe as I think it is, though. That's why I'm careful to lock it down just as I would any other system.

Re:

[chromaexcursion]

Amen

Re:Fuchs ache!

[MightyMartian]

It's why I roll my own routers with a long term support version of the distro I'm using, and why I run updates on a strict schedule. If you're buying some low-end shitty D-Link router, well you got what you paid for; a Linux box that's virtually never updated, that probably is running old versions of the kernel and other userland tools right out of the box. It's literally like booting a three year old version of unupdated Ubuntu and decrying the vulnerabilities of Linux.

Re:

[onyxruby]

Unfortunately the 'it's good if people just use pure Linux" defense ignores how Linux is used by the vast majority of people. When it comes to security you have to compensate for how end users use the product - not purists. Jane the accountant doesn't give a damn about ideology, she just wants her stuff to work.

Same goes for windows, and it's something Microsoft struggled with for a long time before finally understanding that they had to accept users as they are. You can lock down Windows fairly tightly as

Re:

[fisted]

Blah.

Re:

[munch117]

This is a "using a desktop operating system for an embedded product" problem.

When you do that, you get millions of lines of code that are not strictly relevant to your application along for the ride. And every time there's an update, hundreds of thousands of lines may have changed, that you have to review, test, compile, and transmit the result to the device somehow, even if the actual security fix you care about is only a handful of lines.

Re:

[OolimPhon]

Ayup, the problem is the same as with Windows for that matter. However, the enormous variety of embedded systems limits the scope of any attack.

That's funny. I don't remember the vast number of IoT cameras limiting recent attacks... Be careful how you generalize.

Not a level comparison

[Anonymous Coward]

The DSL router issue was /that/ distro, not linux as a whole. That's like lumping Adobe Flash issues in with WinXP issues.

Re:

[unixisc]

Usually, the distros in question are either the vendor ones that come in the routers. Do the vendors add anything specific to the router software that makes it insecure? From what I understand, the reason is usually that most people are too tech-phobic to change the admin password of the router from 'admin' or 'password' to something else that they fear they'll forget.

Re:

[thegarbz]

That's like lumping Adobe Flash issues in with WinXP issues.

And yet this is exactly what happens, so keep those goalposts where they are.

Re:Not a level comparison

[MightyMartian]

How is a distro's update problems Linux's problem. Linux is an operating system. If you bought a router or downloaded a router distro that can't do updates, well, that's your fault. I learned my lesson a long time ago. I spend a few extra bucks, by a small-form box with a cheap 32 bit or 64 bit CPU, a relatively small drive, usually an SSD, throw a mainline distro like Debian on it, and not only do I have a router, but I have a router that can do some pretty complex things since I have full control of iptables, not to mention being able to run anything else on it I please. I've got it to the point that I can get a router on a box in about an hour or so, from the point that I run the netinstall version of Debian.

Re:

[account_deleted]

Comment removed based on user account deletion

BeauHD

[TheDarkener]

isn't as Slashdot as you think.

Re:

[unixisc]

I prefer this story to the political or climate stories that he posts. Had some good moments in the Intel IoT thread earlier, but of late, too many /. stories are about politics or climate (which in itself is a route towards bashing Republicans)

Thank you IoT

[grilled-cheese]

Thank you IoT vendors who don't maintain their devices for creating a breeding ground of consumer-grade security holes. Let us all pray that these widgets aren't internet facing in some way and that the consumer grade routers are sufficient at keeping external attack vectors to a minimum. There isn't much we can do for consumers who like to click on internet candy to infect themselves.

Compared to what?

[Anonymous Coward]

Stupidest story ever.

this is like saying

[cas2000]

that a particular brand of car can be stolen easily if you leave them parked on the street with the door open and the keys in the ignition.

because that's what router and IoT etc manufacturers did with default passwords and backdoors and generally undermining security for the sake of convenience (mostly their own convenience, not their customers')

Re:

[thegarbz]

That depends. Is it the same as tricking a person to handing over their keys when you get them to install randsomware? I mean that's by far the vast majority of "windows" security issues.

(insert OS) is not as safe as you think

[WillAffleckUW]

Nobody will ever hack CP/M
Nobody will ever hack MS-DOS
Nobody will ever hack Windows
Nobody will ever hack Macintosh OS (iOS)
Nobody will ever hack.

Security is not the same as obscurity.

Re:

[arth1]

Nobody will ever hack CP/M

Can't say I've seen many CP/M hacks lately...

Re:

[phantomfive]

Uh, I don't remember anyone saying any of that about any of those operating systems.

Potential

[chill]

Linux, unlike Windows and Apple's iOS, *can* be made much more secure with a little bit of effort.

How? By not using monolithic kernels that support every device in creation, and stripping the kernel down to what is installed on the system -- especially with things like IOT devices. If it isn't installed, it doesn't need patched, it can't break, and it can't be exploited.

Ditto for added software and apps. Take a look at many of the Linux-based router firmwares out there, both sold by commercial vendors and FOSS projects, and you'll see attempts to compete with high-end Cisco feature sets for home or small business use.

Having that available is great! However, turning all of that on by default, and user thinking they should get something not because it suits their needs but because it supports 10,000 features, gets you a complex, insecure mess.

With Microsoft and Apple you can't remove many of those features. The company controls it and, Enterprise customer with a decade experience or not, you will damn well have Telemetry and like it! And dozens of other "features" that you'll never use, don't want, and just are waiting to get exploited.

Linux gives you the ability to shape much of your own system, including making it much more secure than a run-of-the-mill device. Whether or not you take the time and effort to do that is up to you.

I've seen way to many Linux-based routers and gadgets that are exposed to a network and still have default admin passwords to blame "Linux" for security headaches.

Re:Potential

[unixisc]

How? By not using monolithic kernels that support every device in creation, and stripping the kernel down to what is installed on the system -- especially with things like IOT devices. If it isn't installed, it doesn't need patched, it can't break, and it can't be exploited.

Huh? Linux is a monolithic kernel, and Linus is emphatically opposed to it being anything else. If any IoT vendor wants to use a microkernel based OS, they should look at Minix instead.

Router makers should use well known router distros of Linux or BSD, such as DD-WRT, OpenWRT or pFsense, instead of spinning their own. And let those organizations remote-manage them in exchange for a deal.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[unixisc]

Router distros should have whitelists of the websites they wanna allow. When one configures them, one should have the capability of adding sites that ain't already there. That saves one from the default allow all, and allows one to drop all but whitelisted sites.

Re:

[AmiMoJo]

Buffalo make routers that run a version of DD-WRT, and you can easily (through the normal upgrade interface) load official DD-WRT builds.

OnePlus tried to farm out OS updates to Cyanogen on their first phone. It didn't work very well, updates were delayed and eventually support was dropped anyway. Unfortunately this is the commercial reality we have to deal with, and even DD-WRT isn't guaranteed to be updated for your old hardware forever.

I view routers are consumable. Eventually they get too old. Either too

Re:

[unixisc]

What exactly is the scope of 'support' i.e. why would a router need to be updated forever? All it has to do is pass or drop packets, and follow routing algorithms while managing internet traffic. The former can be managed w/ Whitelists, which I suggested in the above post could be user configurable to include just the sites s/he visits. So for the latter, are there changes frequently happening to routing protocols like OSFP, or EIGRP or others that change from distro to distro? And if yes, what does tha

Re:

[chill]

Mea culpa, I used the term incorrectly. I was not intending to reference microkernels, but rather the inclusion of LKMs and associated drivers and firmware for hardware that does not exist on the system.

Another big frustration of mine is improper software dependencies. Several years ago I was trying to remove packages from a Debian system to see how slim I could get it. By attempting to remove one package at a time, I'd get warnings about what depended on various packages, and thus could determine their im

Yoe mean modular

[Anonymous Coward]

The term "monolithic kernel" doesn't mean modules are statically linked. It means that the kernel contains the full interface to hardware in kernel space. In a microkernel architecture kernel space is used for less, device drivers, file systems etc. operate in user space.

The Linux kernel is modular and monolithic. The modular nature makes it possible to remove parts that aren't needed, but those parts still run in kernel space.

Re:

[Tony Isaac]

Actually, with Windows 10 you can remove these features, by downgrading to Windows 10 s.

So yes, if you take away all the functionality people want, you certainly do end up with a more secure system!

Bad Assumption

[Zero__Kelvin]

They have no idea what I think.

Linux is a kernel ...

[Murdoch5]

Almost all the major infections, back-doors and security problems are the result of the userland, improper implementation of the kernel, bad firmwares, lack of security knowledge, improper development, sloppy implementation and etc... etc... etc..

To say Linux is more insecure then Windows, means that the kernel, as released by Linus, and nothing else, is insecure. Well some security issues are discovered residing in the kernel, almost all other attacks and vectors have nothing to do with the base release kernel.

Re:

[Bing Tsher E]

And Windows 10 is a DVD-ROM.

I mean, I can't see how anybody is going to penetrate my Windows 10 DVD-ROM disk, it's hard and plastic and pretty thin. Since that's the sum and whole of Windows 10, I am safe, just like the Linux kernel is safe, especially if it's kept safely housed in a tarball.

Re:

[cowwoc2001]

That is nonsense.

No user runs a kernel on its own. This sounds like a double-standard. Linux should be held up to the same standards as all other operating systems.

Re:

[JasterBobaMereel]

There are currently ~8 supported distributions of Windows, all of the are very similar and mostly have the same issues

There are probably a near infinite Linux Distributions... DistroWatch lists the top 292 ...and each of these have variants ...Most IoT systems run a custom build ...

Re:

[Murdoch5]

If I build a software project/module that does job X, and you use it, expand it, modify it so it works in your application and your application gets hacked, unless you can point to the original fault in my X, you don't get to claim that my project/module was insecure.

Re:

[cowwoc2001]

Take a look at security-related articles. They rarely quote the underlying problem. More often they mention the customer-facing product that has a flaw. For example, when Windows Media Player has a bug Journalists headline with "Yet another Windows security hole". Linux is no different.

Re:

[Murdoch5]

Ignorance of reporting doesn't move the fault. If a report claims a bug exists in Linux, but the bug actually exists in the GNU userland, that doesn't all of a sudden mean the kernel is at fault. This is why it's important to read the CVE and follow reported flaws and bugs to find out what the exact issue actually is.

Windows is an OS

[thegarbz]

We'll stop lumping userland issues with Linux when everyone else stops lumping idiot users executing randsomware and then clicking the yes box in the UAC prompt in with Windows.

Re:

[Murdoch5]

An outstanding demonstration of ignorance :)

Windows comes prebuilt with its own userland and application land management area, which means that Micrsoft, the creator of Windows, is responsible for it. They're responsible in the same manner that Linux kernel developers are responsible when an issue is found existing in base kernel code, which I pointed out in my post.

Routers and IOT?

[markdavis]

Please compare apples to apples...

>"At the end of November, criminals with other variants of the same Linux malware unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were "

How many routers run MS-Windows?

> "Other Linux malware, such as the Tsunami backdoor, has been causing trouble for several years now and can be easily modified for attacks against IoT devices."

How many IOT devices run MS-Windows?

Routers and IOT devices are notorious about having crappy firmware with Linuxes that are hacked up and rarely (or sometimes never) updated. Comparing those to desktops and servers is much less a function of the security of Linux and more about the lack of maintenance and updates with the unusual role of the devices.

Sure, *ALL* operating systems have security risks and vulnerabilities. Anyone that thinks Linux (or any OS) is impervious to malware and safe needs to have their head examined. But the sensationalistic article title isn't really comparing machines of the same class, so it doesn't do the topic much justice.

Re:

[Skuld-Chan]

> How many IOT devices run MS-Windows?

Quite a lot actually:

https://www.microsoft.com/en-u... [microsoft.com]

Re:

[unixisc]

That may be something Microsoft wants, but it has about as much market presence as Windows NT on RISC did, back in the day. They have this stupid 'one size fits all' meme that has not gone away w/ Ballmer, and it shows. They tried it b/w their PCs & phones, and damaged both. Now they want IoT devices to run w/ their stuff, after they've discontinued their phone line (instead of leaving it w/ Nokia in the first place).

One good platform for an IoT would have been Windows 8 RT w/ Metro, but w/o the de

Re:

[thegarbz]

The no true Linux fallacy.

Flawed study, is flawed.

[geekmux]

"...unleashed devastating attacks against DSL routers of Telekom customers. 900,000 devices were taken down."

Linux. You keep using that word. I do not think it means what you think it means.

It's a absolute joke to lump in devices that most people who who actually use Linux would define as one fucking step above the Internet of Shitty Things from a security perspective.

And how much of that is due to...

[IWantMoreSpamPlease]

SystemD?

Re:

[MSG]

None, of course.

Re:And how much of that is due to...

[Anonymous Coward]

0.0%, notabug, wontfix.

Percentage is meaningless.

[AJWM]

Going from 1 threat to 3 is a 300% increase. Going from 1000 to 999 is a decrease. (Numbers arbitrary)

Guess which one I'd prefer?

Microsoft shilling on my Slashdot?

[Gravis Zero]

Did they forget to tag this "advertisement"? ;)

It's not Linux stupid

[humankind]

The "increases in security issues" are not related to Linux. They are related to third-party systems which run on top of Linux. This is in stark contrast to the never ending array of vulnerabilities that are essential parts of the Windows operating system.

Apples and Oranges.

Re: It's not Linux stupid

[KGIII]

That's rather disingenuous. Without the applications, the Linux kernel is also pretty much useless. There are surpringly few security flaws, known, in the Windows kernel. The Linux kernel is much the same. Like Linux, Windows is pretty useless without apps.

three times

[MSG]

This is a silly write up. There are three times more malware programs targeting Linux systems. That tells us nothing about the number of Linux vulnerabilities, or the number of vulnerable systems, or the general security of the system.

Re:

[gumbi west]

Right? I concluded that Linux is exactly as safe as I thought it was.

Re:

[guruevi]

I was about to comment the same thing, this is about the attack surface against primarily IoT devices that run minimal versions of older (think pre-XP era) kernels.

It doesn't say anything about the overall success rate of these attacks. Given 90+% of devices is not Windows these days (the myth that Windows is more commonly used so it had more people trying to attack it is now thoroughly debunked) I would imagine the attempts to hack old Linux machines would increase. And even so, the most common hacks on th

When everything not called desktop PC uses it...

[Z80a]

Some ought to try to exploit the system.

The term is "secure", not "safe"

[gweihir]

So, first indicator for incompetence already present: Author does not even know basic terminology. Second thing is that Linux is not inherently more secure than, say, Windows, but the mind-set of application developers is better and it is far easier to secure. It is also easy to make completely insecure, but a competent person will find it far easier to have a secure Linux installation than with the competition, because Linux gives you access and allows you to do things, while with, say Windows or OSX you are pretty much at the mercy of the OS vendor.

Re:

[gweihir]

Quite true. You can also use Linux distributions that are made to be extra secure (and have some downsides because of that, like worse functionality and missing software), because the "vendor" does not prevent anybody from creating and sharing such distributions. For Windows, you have to install first and then harden individually, making this an expensive process.

Technically speaking...

[campuscodi]

Technically speaking, the data is skewed by malware numbers for IoT devices. Actual Linux boxes may be quite secure if you don't strip them down to a few libraries like the OS versions that ship with IOT crap.

two kinds of company

[Reverend Green]

There are two kinds of company: those who know their servers have been compromised, and those who don't know.

(We used to say this in the security group at a big company in New York that almost certainly has better security than your company.)

Uh puhleeze

[mdhoover]

Anyone can easily reduce the attack surface of the linux instances you choose to deploy by simply
a) only compiling in the drivers/kernel features required
b) only installing just enough in userspace to do the job, and
c) running shit with least privilege

Not so easy with windows...

The fact so much cheap crap out there was pushed out by manufacturers that give zero fucks towards basically securing their provided OS is not a reflection on the kernel/OS as a whole.

Re:

[account_deleted]

Comment removed based on user account deletion

I blame Systemd

[JustNiz]

Its a turd and I keep finding bugs in it and relatively obvious ways to break it. Apparently no one writing systemd actually tests their code before checking it in.

Not news but propaganda

[strikethree]

This is not a news article, it is a propaganda piece. It is written with the angle of getting certain sequences of word to be read by the largest number of people possible.

The summary starts out using a term that I have never heard before and I work in that specific industry. In specific, what is the term "threat methods"? Each word is sensible and combined they are also deceptively sensible. They are measuring "threat methods" but do not give a definition for what they are measuring so we can determine the

Re: Not news but propaganda

[KGIII]

I used to be involved in computer security, but then I hired capable people. I still made an effort to learn more, and have gone to things like Defcon - multiple times.

I would guess that I'm about as well versed as a layman would be, if they were tangentially tasked with understanding computer security. I am not a professional, in other words.

That said, I have heard the 'threat method' used, more than once. I'd say it is probably quite common, given that I have heard its use and understand its meaning. I am

Nothing is Secure

[EndlessNameless]

There is no application, OS, interface, etc that is immune to tampering.

This is why we have defense in depth strategies on the enterprise side. You put layers between a potential attacker and the data he may want, and you pray that one of those layers is something he can't crack yet.

If modern Linux distros have greater known vulnerability, it only means one thing: Microsoft is finally delivering on their promise to make Windows more secure. It's certainly taken long enough.

The increase in attacks on Linux i

Re:FINALLY!!

[Anonymous Coward]

At least I can see the holes in swiss cheese. Unlike the MSFT "processed" cheese-like product.

Re:

[Rockoon]

I don't know how much swiss cheese Linux is, but I do know that as things like routers get more and more powerful, the desire to attack them will grow and grow.

Back before Win3.1+Winsock and Win95, there were almost weekly CERT advisories about unix-based exploits, but as Windows grew to dominate on the internet (at least by users) it switched to almost weekly CERT advisories about windows-based exploits.

It isnt that any of these things is secure. My money would be on OpenBSD being the most secure, but

Re:

[The123king]

So you'd like a potentially exploitable version of the router software burned into an unpatchable ROM.

I'd agree with you if you wanted to go for user replaceable ROM. Still doesn't stop RAM resident malware. Sure, a restart would work, but that's usually only done when the wifi drops out.

Re: FINALLY!!

[Anonymous Coward]

He said "like the whigs did". The Democratic-Republicans opposed the Whigs. If the Democrats fell apart like that, the two parties would be one based on the more popular parts of Republicans and Democrats combined, and another based on the core of the Republicans.

Nothing about that makes a one party system. Our election system guarantees two parties, by game theory. Not one, not three.

Re:FINALLY!!

[MightyMartian]

A router running an OS that probably hasn't been patched in years, thus containing multiple vulnerabilities long ago patched, is hardly the same thing as an OS full of holes. That's like condemning Windows because of unpatched vulnerabilities in Windows XP and Vista.

Here's a tip. Don't buy shitty routers running years' old firmware, and expect that somehow the magic update faerie is going to make the vulnerabilities go away.

Re:

[skids]

Not to mention many of the holes are in vendor add-on software, not in Linux itself.

There's something to be said about year's old firmware, however. For a device like a router, turning off all unnecessary services, closing everything off and then opening things as needed, and only patching security vulnerabilities... never upgrading anything unless you have to to get the security fix... is actually a good strategy. On commercial routers what you do is stay current on an old release chain.

This is because a

Re:

[MrLint]

You mean like this?
ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.
https://www.itwire.com/open-sa... [itwire.com]

Re:

[The123king]

Is it Microsoft's fault for making such a good product, people still want to use it 15 years after release and 2 years after support has ended? It's rare to see something so beloved come from Redmond. It's probably second only to 7 with Hotmail trailing in 3rd

Re:

[Anonymous Coward]

It's not that XP is a good product, it's that it was followed by Vista, and having learned from that fiasco, people avoided Windows 7 until it was proven that it wasn't simply another Vista.

Unfortunately, just as people were starting to plan the switch to Windows 7, Microsoft started promising that Windows 9 would be much better, and people decided to wait.

Then when people saw that Windows 10 was another fiasco, and started considering Windows 7 once more, Microsoft started forcing Windows 10 upon Windows 7

Re: FINALLY!!

[KGIII]

Meh... With some work, you can secure XP well enough. Depending on your security needs, there are a variety of products, methods, and services. I've been using Linux exclusively, for years, and I still have some fond memories of XP.

Re:

[arth1]

Linux[Redhat[1,537]/Debian[1,120]...2,657 total]

You can't just add them up. Many, if not most, will be the same vulnerabilities.

Red Hat gets a few more because of their long life cycles: 10 years, plus a few years more if paying for extended life cycle support, compared to Debian LTS being five years plus however many months to match the next LTS release.
That means more risk of old software bugs being discovered and patched in Red Hat. Which is not a bad thing.

Re:

[jimtheowl]

In itself, that is a good reason to start using it.

Re:

[jimtheowl]

"I never turn it off 30 July 2014 12:21:54 AM"

Ever heard of a command called 'uptime' ?

Re:Ah, the PRICE of fame (always the same)... apk

[Bert64]

Linux has been attacked for years, there have been rootkits and exploits out there since the early days of slackware... Linux has had a significant presence on servers almost since its inception, and is now starting to make inroads in many other markets.

On the other hand, what people think of as "linux" in this context is a multitude of different versions of the linux kernel with various modifications and all manner of different userlands running on top. Literally anyone can build a linux-based system and pile whatever garbage software they like on top of an ancient version of the kernel.
Windows on the other hand comes from one place, in a small set of versions, and all of the vulnerabilities attributed to windows are present in this version and usually in a default configuration.

Microsoft fully control the versions of windows being released, and if a third party produces a device that bundles a windows install but has some additional vulnerable software running on top of it or a stupid default configuration (eg default passwords) that vulnerability is blamed on the device vendor and not on windows.

There are no shortage of such devices, and they routinely get compromised not only due to their own poor configuration but also because of vulnerabilities in windows itself (eg eternalblue).

When it comes to embedded devices, Linux is massively more widespread than windows, most people are likely to have more linux devices than windows and usually don't even realise it, only a subset of these devices are getting compromised because the manufacturers of those devices make stupid mistakes when building them and then fail to either provide updates, or provide a user-friendly way to apply them.

Re: Some kind of police state I am sure

[KGIII]

> one terrible outlook, to the next.

See? You should use Thunderbird.