Is Opensuse 13.2 inherently more secure than Windows 8.1

[Lazy8s]

Hi everyone,

 

This is strictly a "home use" scenario regarding security at the OS level. Try as I might, I don't seem to be having much luck over the past days finding answers in language I can understand. I'm not a programmer/CS major/Linux guru etc etc ...so I'm looking for definitive answers I can verify.

 

I do all my financing on my Surface Pro 3, high firewall settings/AV/encrypted browser and all that, but as i'm considering a larger laptop replacement (bigger screen for various reasons) I want to migrate everything to the most secure environment, so...

 

I understand through various articles that I do not need to run an AV/malware suite with Linux. The reasoning I'm seeing is that nothing can access or alter system files without root access, which requires my password. I'm very cautious with browsing/email habits on the SP3, but in the event I ever did activate (click on or whatever) a Linux compatible bit of malware, does the above statement stand?

 

I do use strong passwords, all different, and would also be encrypting the entire drive, except maybe for Home, which I would share with the wife for photos/videos and such.

 

I'm not "committed" to Windows for anything on the pro that I can't do on Linux, and I'm not afraid of the command line, although I'm very cautious of it.

 

Am I overthinking this? Is there a definitive answer to security level between the OSes that would benefit from this move?

 

Thanks for answers and your time folks - much appreciated.

[Mindovermaster Moderator]

Windows malware/adware/viruses do not work on Linux. The reason behind this is as you said, root access. They also hit different sections in Windows that are not available in Linux.

 

I am not going to say there isn't viruses in Linux, because there are some that came around ~2005 (i think). It's only because Linux is 1% of users, while Mac and Windows are a greater minority.

 

I haven't run any AV/FW, and I've used Linux for about 3 years now.

[+InsaneNutter MVC]

A definitive answer would be you, the end user are the weakest link.

 

Without admin rights on Windows you would struggle to mess your installation up, likewise on Linux unless you are running things as root you would also struggle to mess anything up.

 

However even without admin rights on Windows or root on Linux you could still end up installing a rouge browser plugin that could potentially be accessing your data or doing something naughty in the background.

 

Windows is targeted a lot more than Linux, however the majority of infections still come down to the user agreeing a malicious app run with admin rights to do whatever it wants. It's hard to protect people from themselves if the user has admin / root.

 

Personally I have run Windows for years with nothing more than Windows Defender and never ended up with anything malicious installed. The only time i will grant anything admin rights is when its from a trusted source, for example Photoshop downloaded direct from Adobe.

[Max Norris]

For the average user, sure. You got a few things working in your favor.  First, (again, average user) you'll typically be getting your software from the distro's repositories, not external third party sites, so your odds of doing something stupid drop dramatically.  Almost all malware comes from user carelessness, it doesn't magically appear out of thin air.. but since so many people don't bother to learn basic software security because it's easier to just click away on download links,  it's a big problem.  Safe computing habits is the biggest line of defense for any OS.  I know people (myself included) who's only safety net is regular backups and an application sandbox.. this install of 7 that I'm on now is aprox 5 years old (since RTM) and going strong, zero issues with no resident bloatware safety nets.

 

There's also the "security by obscurity thing", the overwhelming majority of malware is going to target the most people possible, which obviously means Windows, Android, and to a lesser extent, OSX.  But of course there's the occasional exceptions as well. You can easily find examples of incidents for the Linux world too.  Plus once in a while there's the cross-platform malware that runs on say Java or the like.  

 

A lot of malware doesn't require root/admin access either, it doesn't take root credentials to run a bitcoin miner, encrypt your personal files, read your browser data, etc etc, no difference between OS's there. Root won't protect you there.

 

Carelessness aside, once in a while it's from exploiting a vulnerability.  As far as that goes, every OS has them, without exception, although you're probably much more likely to get into trouble due to your browser of choice or browser plugins (Flash, Java, etc), which also has a far from perfect track record too.  Who needs to install anything when I could just add a naughty browser extension? This is getting to be less of an issue lately with the major browsers as that's finally getting locked down.  (Although Google's taking it way too far, but that's a rant for another day.) Windows has a few good sandbox systems to pick from, not sure if Linux has one that's on the same level but haven't looked that hard either. If the browser/random download/etc does get exploited, it's still isolated from your OS.

 

But yea, short version.. both OS's can be super secure and both have had major issues.. but for the "clueless home user" (not directed at you or anyone specifically) who hasn't a hint of common sense about internet safety, yea Linux would be the safer bet by far as it's that user who's the weakest link, and you've been given a whole lot less opportunity to screw yourself over.

[Lazy8s]

Thanks for the replies. For what it's worth, I do consider myself the weakest link which is why I'm asking lol. Which browser, and how to secure it is my next research project. I've used windows steadily since XP, and have never had an incident (that I'm aware of) on my personal, protected machine.

 

I've also raised a whole gaggle of daughters and have seen how badly their rig can get infected, so I think I'm on the right track. I just want to make sure before I commit, because if the switch isn't worth it, well, no point in moving everything from Windows. I like the idea of the obscurity though...

[gohpep]

Linux has a lot of security stuff in place, but of course, you can ruin it all with root access.

 

SELinux helps against executed viruses doing severe damage, though I am not sure if Open SUSE has it.

 

If you want the most secure browser, wget and lynx. Of course, that is not optimal. Firefox is pretty secure, if you have the right addons.

[TPreston]

Computer Security does not work this way, you don't get computer security by installing Linux.

https://en.wikipedia.org/?title=Information_security

You can make windows so secure that no software can run and all the user gets is a black screen when the pc starts.

A properly configured corp environment wouldn't set their users up with admin accounts to begin with.. IE you'd need a password to actually do anything admin-ish. Fiddling with that UAC slider wouldn't change that.

Or use Granular Permissions for admins AKA "user rights assignment"

Again configuration not brand name

[Beyond Godlike]

Linux refused to budge on user friendliness to keep security in tact.  I applaud them for this as im in the IS field.  In windows, being able to slide 1 bar and turn off UAC and run as admin is just scary (while i do it, i dont take the risks an average user does). 

 

I really wish corp environments would replace the windows workstation with linux

[Max Norris]

Linux refused to budge on user friendliness to keep security in tact.  I applaud them for this as im in the IS field.  In windows, being able to slide 1 bar and turn off UAC and run as admin is just scary (while i do it, i dont take the risks an average user does). 

 

I really wish corp environments would replace the windows workstation with linux

A properly configured corp environment wouldn't set their users up with admin accounts to begin with.. IE you'd need a password to actually do anything admin-ish.  Fiddling with that UAC slider wouldn't change that.

[Lazy8s]

Oh I only use root for yast/updates mastercoms.

 

I'll read through that link TPreston, thanks.

[shastasheen]

Linux refused to budge on user friendliness to keep security in tact.  I applaud them for this as im in the IS field.  In windows, being able to slide 1 bar and turn off UAC and run as admin is just scary (while i do it, i dont take the risks an average user does). 

 

I really wish corp environments would replace the windows workstation with linux

A properly managed Windows environment is secure, audited and centrally managed. There's absolutely no need for Linux on the desktop as a security measure. Funny you don't hear about Microsoft getting hacked into.

[Beyond Godlike]

A properly managed Windows environment is secure, audited and centrally managed. There's absolutely no need for Linux on the desktop as a security measure. Funny you don't hear about Microsoft getting hacked into.

 

 

It takes alot of resources to protect windows.  We have so many endpoint protection applications running compared to what would be required on linux. 

[Lazy8s]

It takes alot of resources to protect windows.  We have so many endpoint protection applications running compared to what would be required on linux. 

That's another good point. I'm looking at lower specced laptops due to cost, and hopefully battery life, so resource usage will be pretty relevant for me.

 

 

edit: I wish 'nix was fully useable on the Surface Pros, but not quite yet lol. I'd just keep using that.

[shastasheen]

It takes alot of resources to protect windows.  We have so many endpoint protection applications running compared to what would be required on linux. 

Most of which you probably don't need. Windows by itself if firewalled and ships with A/V out of the box. In an enterprise you might have a Configuration Manager, Altiris or Big Fix client. CM2007/2012 can reduce configuration drift of clients. Properly managed AD policies, and not allowing users to run as administrator also help. Patches can be deployed via WSUS or SUP, Altiris or Big Fix. None of these things require huge amounts of resources or personnel to manage.

[simplezz]

Hi everyone,

This is strictly a "home use" scenario regarding security at the OS level. Try as I might, I don't seem to be having much luck over the past days finding answers in language I can understand. I'm not a programmer/CS major/Linux guru etc etc ...so I'm looking for definitive answers I can verify.

I think the reason you're having trouble getting your head around it is because a lot of the information out there regarding security is misdirection, or at the very least not relevant to normal users (as opposed to servers/data centres). That is to say, things like vulnerability/bug reports tend to confuse the whole issue because bear little to no relation to the actual security threats facing users. If we were to take those statistics at face value, we'd expect the same number of malware encounters (as a percentage of userbase) on GNU/Linux as Windows, if not more. That's clearly not in line with reality. So first of all, try to ignore such irrelevant information when determining OS security for users.

 

I do all my financing on my Surface Pro 3, high firewall settings/AV/encrypted browser and all that, but as i'm considering a larger laptop replacement (bigger screen for various reasons) I want to migrate everything to the most secure environment, so...

Considering how much malware, and how many scams and exploits are targeting Windows and have been for decades, it's definitely not the most secure environment. Now you can argue that's not to do with OS security per se, but user behaviour, and to some degree I agree. However, the OS can often determine user behaviour. For example, take iOS, Google's Playstore, GNU/Linux repositories, and even Microsoft's app store. They supply the user with software and they're all curated to varying degrees. What they all have in common however is, almost non-existent malware, viruses, rootkits, etc. It's only when users acquire software from unreliable third parties does malware become an issue. Unfortunately for Windows, this behaviour has been allowed to flourish for decades, resulting in a huge malware ecosystem that's unmatched anywhere else.

 

In addition to malware, there is the issue of exploits. IE for instance is the most exploited browser in the world. That's understanable given its early dominance, fragmentation, and support for inherently insecure technologies such as ActiveX. Still, the biggest threat aside from targets like IE, is outdated software. That is, third party software that's not automatically updated as part of the underlying OS. This is mostly an issue for Windows because most other OS' automatically update all third party software. GNU/Linux does this as part of its package management. System (OS) software is treated the same as an ordinary application. It's automatically managed, ensuring that It'll never pose a threat to the user. This is in contrast to third party Windows desktop applications, none of which are updated by the OS itself. Windows relies on either the software in question, or the user to do it. That's a recipe for outdated, vulnerable, and exploitable software.

 

I understand through various articles that I do not need to run an AV/malware suite with Linux. The reasoning I'm seeing is that nothing can access or alter system files without root access, which requires my password. I'm very cautious with browsing/email habits on the SP3, but in the event I ever did activate (click on or whatever) a Linux compatible bit of malware, does the above statement stand?

1. No, AV software isn't needed on Linux. It only sucks resources and power from your devices.

2. Yes, root access is required to access system files. That requires you to manually enter a password (as opposed to clicking a button on Windows which many people ignore).

3. You'll never run into browser/email based malware that will run on Linux. It's all targeting Windows. And even if you did, which GNU/Linux distro is it targeting? You see that's the advantage of Linux, it's such a diverse ecosystem that it's all but impossible for malware to exist across such various configurations. It's an incredibly heterogeneous environment with different package managers, init systems, kernels, file system layouts, core utilities, desktops, UI's, etc. That's a nightmare for malware writers. They love the homogeneous Windows environment where so many assumptions can be made about software present and configurations that large numbers of users can all be targeted at once. They love the archaic software delivery system where users are desensitised to running random executables and  from the internet and clicking past security dialogs like the mere annoyance they are, and where third party exploitable apps are left to rot and never updated.

 

I do use strong passwords, all different, and would also be encrypting the entire drive, except maybe for Home, which I would share with the wife for photos/videos and such.

Two users would be a better idea. /home/Lazy8 and /home/Wife. Then a common partition for shared videos, documents etc. Passwords are often stored in /home, so it's a good idea to encrypt that per user if you really want to be secure. It also means you and your wife can have different configurations, bookmarks/browser addons, and preferred desktops.

 

I'm not "committed" to Windows for anything on the pro that I can't do on Linux, and I'm not afraid of the command line, although I'm very cautious of it.

You sound like a good candidate for making the switch. The cli/terminal isn't anything to be afraid of. in fact, in distros like Ubuntu, Mint, Elementary OS, etc, I doubt you'll even need to access it. Linux is very user-friendly these days. Of course it's always there should you ever want to exploit its power, speed, or efficiency.

[simplezz]

A properly managed Windows environment is secure, audited and centrally managed.

We're talking about ordinary users here, not a corporate IT department managed environment. And even then, it'll rarely stop someone running a random Windows executable.

 

There's absolutely no need for Linux on the desktop as a security measure

Then you've clearly not seen the statistics for malware encounter rates on Windows:

https://www.neowin.net/news/microsoft-offers-new-data-on-malware-infection-rates-worldwide

And that's only MSE/Windows Defender statistics. Imagine if all AV software was included. Then there's the fact that AV software doesn't have a 100% detection rate.

 

Funny you don't hear about Microsoft getting hacked into

Talk about a non-sequitur. What does hacking Microsoft have to do with user security? Regardless I doubt they would advertise the fact even if they did.

[simplezz]

Firefox is pretty secure, if you have the right addons.

I agree there. FF is the most secure major browser provided you have extensions like ABP and NoScript.

[simplezz]

Computer Security does not work this way, you don't get computer security by installing Linux.

https://en.wikipedia.org/?title=Information_security

It depends how you define security. In terms of protection from malware, viruses and rootkits, the overwhelming majority of which target Windows, then yes, it does afford a greater level of security. Partly through obscurity, partly because of software acquisition behaviour and seamless integrated third party updates, and partly through the heterogeneous nature of GNU/Linux.

 

You can make windows so secure that no software can run and all the user gets is a black screen when the pc starts.

Reductio ad absurdum? Hardly a useful system for most people. Why don't you cut your internet lines while you're at it

[TPreston]

ITT: People who don't know anything about computer security talk about computer security. Telling people they don't need AV is TERRIBLE ADVICE.
 

We're talking about ordinary users here, not a corporate IT department managed environment. And even then, it'll rarely stop someone running a random Windows executable.

Ah yeah it will you can even make the system so secure nothing but signed Microsoft executables will run.
 

Considering how much malware, and how many scams and exploits are targeting Windows and have been for decades, it's definitely not the most secure environment.

 
Does not follow;
 
 
 

It depends how you define security.

The same thing is true with  medicine there's a right way and a wrong way.
 
 
 

In terms of protection from malware, viruses and rootkits, the overwhelming majority of which target Windows, then yes, it does afford a greater level of security.

...Through obscurity.
 
 
 

partly because of software acquisition behaviour and seamless integrated third party updates, and partly through the heterogeneous nature of GNU/Linux.

Much more can be done through windows with less effort. Real security measures not placebos. And considering the user is going to be loading chrome the whole less exploits argument goes down the crapper.
 
 
 

Reductio ad absurdum? Hardly a useful system for most people. Why don't you cut your internet lines while you're at it

Computer Security 101, Increasing computer security always reduces what the user can do. Its always a sacrifice.

Everyone wants great computer security, Few make the sacrifices to acquire it.
 
Im not trying to engage in a windows vs. linux pissing contest, I don't care which he uses just secure which ever one of them you use.

[Mindovermaster Moderator]

Odd, this is the Linux section, not Windows...

[Lazy8s]

I agree there. FF is the most secure major browser provided you have extensions like ABP and NoScript.

That's what I use currently. regarding your other post (#15) thank you for such a full answer. And I will be using your tip regarding multiple accounts.

[simplezz]

...Through obscurity.

That's partly true. However, it's not the only reason as I outlined in previous posts. Still, any security is good, even through obscurity. If it means I'm safer, I'm happy to accept it. 

Much more can be done through windows with less effort. Real security measures not placebos. And considering the user is going to be loading chrome the whole less exploits argument goes down the crapper.

The primary reservoir for malware infections is software acquisition. There's little you can do about that on Windows except lock down the system. And that's hardly a solution for ordinary users.

 

Computer Security 101, Increasing computer security always reduces what the user can do. Its always a sacrifice.

Changing user behaviour is far more efficacious and doesn't reduce what the user can do (to a large degree). So no, it's not always a sacrifice.

[Lazy8s]

Computer Security 101, Increasing computer security always reduces what the user can do. Its always a sacrifice.

Everyone wants great computer security, Few make the sacrifices to acquire it.

 

I agree with this. I'm willing to make the sacrifices for this one machine, but...well, full disclosure here may be a good idea. I've used several of the big name security suites lately, and am currently running Kaspersky. I've had minor to major issues with each. Today for instance, I'm greeted by multiple warnings on boot that firewall, AV is disabled, yet Kaspersky says they're enabled. Multiple times for that "error" and it's a question mark I don't want, and it refuses to update itself.

 

Long boring story with boring details lol, I'm just tired of dealing with 3rd party suites. I did consider going the Win firewall + Defender route, but I've seen too many reports like the one simplezz posted above. I want to try something that has fewer doors to close and fewer worries about whether I'm forgetting something or missing something, that's all.

 

[TPreston]

That's partly true. However, it's not the only reason as I outlined in previous posts. Still, any security is good, even through obscurity. If it means I'm safer, I'm happy to accept it.

Until the **** hits the fan and your left hanging out their all pink and naked.

The primary reservoir for malware infections is software acquisition. There's little you can do about that on Windows

.....

except lock down the system.

What does this even mean ???

You can do anything from only allowing trusted signed software to run to blocking users installing any software to only allowing Microsoft applications to run. Any of the 3 will suffice.

[simplezz]

.....

What does this even mean ???

You can do anything from only allowing trusted signed software to run to blocking users installing any software to only allowing Microsoft applications to run. Any of the 3 will suffice.

Your only solution to security is to restrict the user by locking down the system. This isn't necessary if the primary software source is a curated store or peer reviewed repository. Microsoft is already moving towards that model but it's nowhere near as dominant as on iOS, Playstore, or GNU/Linux. If you eliminate software acquisition as a vector, security is greatly enhanced by definition.