On 22/12/10 14:24, mick wrote:
Don't get me wrong, I'm not naive enough to think that "linux is inherently more secure than windows", nor am I blind to the problems of application level exploits running in that universal firewall bypass we all love (i.e the browser, which to make things even worse may run flash). But I do like the fact that Linux in all its variants is a very, very, small and specialist target so malware developers leave it alone.
I disagree with this. I agree that Linux isn't absolutely bullet proof, but there are a number of reasons why Linux is better prepared for the threat than Windows. The fact that anyone can audit the code really is a strength, but also the fact (that you alluded to) that with Linux, most of the software you want is an apt-get away, rather than downloaded from PirateBay or similar. The package management also makes it a lot easier to keep things up to date; Windows does a reasonable job these days of installing system updates but you're very much on your own when it comes to application updates, and the myriad of "update available, click here to install" messages you get on Windows is a gift to trojan writers.
Windows has improved from a position of real weakness (eg the Windows equivalent of sudo), but it still suffers from things like driver validation, which (because most aren't) requires that users get used to clicking past the warnings.
And the worst browser is still IE (at least with all the legacy versions out there - and a lot of systems that cannot update past IE6), which although it is way better now than it used to be has again started weak then got better, rather than starting strong where most Linux applications have taken security seriously for longer. Of-course it "helps" that the cost of a Windows licence is substantially offset on most PCs by kickbacks from security software trials, so the incentive isn't fully there to fix the problem. Whilst the business model includes selling updates, it's "useful" that old versions have problems that you have to pay to upgrade, and upgrading between distro releases is way easier than between Windows versions in any case.
Linux distros would be wise not to be complacent (but I don't think they generally are). Being a smaller target is part of why Linux is currently safer but it really is not the whole story. A bigger concern would be a major shift to closed-source drivers and applications on Linux (it's no coincidence that Flash is one of the biggest problems right now).