On Sb, 11 apr 20, 19:06:59, l0f...@tuta.io wrote:
> 
> I understand most of you respondents don't use anti-malware at all. A 
> good hygiene or other kind of solutions like system hardening 
> (AppArmor, SELinux) are way more efficient.
> 
> NB : I've been told SELinux is so complex, people eventually let it 
> drop... Do you all succeed in configuring & using it? ;)

Didn't even try, I just take whatever Debian does by default.
 
> Do you follow any guide or tool to help you in hardening your Linux 
> distro?
> I've used Lynis for the audit part, it's nicely done. What do you 
> think about it?

Any such tool you are using has to be regularly updated as well and by 
definition is built on the assumptions of the developers of what is 
(not) necessary for me. This can easily lead to a false sense of 
security.

> Anti-malware on Windows is common/best practice. However, as we are 
> discussing it here, things seem to be different with Linux. I don't 
> really think Linux is intrinsically more secure than Windows nowadays 
> (a vulnerability remains as such) but I really think Linux ecosystem 
> is. Here are some reasons that could explain that according to me:
>
> * Most softwares are downloaded through official preconfigured 
> repositories. Users are less prone to download malware on suspicions 
> websites

There are sufficient tutorials advising to download random scripts and 
run with root privileges.

> * Updates are easier as well because tracked/centralized through 
> repositories themselves for the most part. On Windows you need to 
> check Windows Update + Windows Store + each application individually

Would be the same on Debian if you chose to install additional software 
with some other package manager and debs downloaded from whatever 
website.

> * Linux users are globally more tech-savvy so they take care more 
> about their systems

This is just a side effect of Linux being much less common on typical[1] 
desktop / laptop systems.

> * Open source is more common on Linux (community-based) than Windows 
> (money-based) so theoretically anyone competent enough could view the 
> source by oneself and spot a malovelent behavior (/!\ in practice this 
> is not so easy, see what happened with OpenSSL / HeartBleed)

You probably mean Linus's law[2]. Unfortunately the reverse is true as 
well: without sufficient eyeballs there will be many bugs.

If something like Heartbleed can happen to a widely deployed software 
imagine what is probably hidden in all the software with a much smaller 
user-base and almost no active maintenance.

> * Linux desktops are less exposed : it's more lucrative for black hats 
> to target Windows users with malware (see desktop marketshares). 
> However this is only half of an argument because Linux server 
> marketshares are quite the opposite!
>
> * Until some years ago, I would have added that Linux is more secured 
> by design (least privilege, compartmentalization) than Windows but I 
> think this is not so true now, Windows has cought up apparently...
>
> => What is your opinion?

In my opinion any system can be made very secure, but not 100%.

The given/chosen hardware and software can make some things easier while 
making others more difficult.

The FLOSS ecosystem has a slight cultural advantage: less reliance on 
tools to stop and/or detect malware. Instead the vulnerability is 
(hopefully) found and patched.

This advantage is partially due to Microsoft's security practices in the 
past. While these have improved significantly in recent years some 
practices are difficult to change and will probably only disappear 
together with the desktops and laptops[3].

[1] not including Chromebooks
[2] https://en.wikipedia.org/wiki/Linus%27s_law
[3] fortunately when new types of devices like smartphones and tablets 
were introduced the hardware and software makers used the opportunity to 
also introduce better security models and practices, unfortunately 
together with an entire class of new privacy issues.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser

Attachment: signature.asc
Description: PGP signature

Reply via email to