Modernizing Authentication — What It Takes to Transform Secure Access
Editor's Note: A lot has changed since this article was written so we decided to take another look at the topic. Check out the new article, Is Linux Really More Secure than Windows?, to see what the findings are ... you might be surprised (or not).
Im more secure on Linux than I am on Windows. Yup, thats right. I have no doubt whatsoever that I am.
I started down this path by comparing how secure I am on a Mac vs. on Windows, then I compared Mac vs. Linux. To complete that trifecta, I guess its only fair to compare the end-user data security aspects of Windows against Linux.
Later, I started using Windows-based systems at the office, but never felt quite at home. I was constantly frustrated by the frequent reboots, lack of serious security capabilities (from my perspective), and such. Then, following a brief foray in OS/2, I quickly gravitated to running Linux at home so I could once again have a real multi-tasking working environment.
Nowadays, my primary desktop is on a Macbook Pro the best computer Ive ever owned, without any doubt.
But, I still run a Debian Linux infrastructure for my company, with a couple Samba servers at its core. Its not uncommon for the Linux systems to go over a year in between reboots. And, I still use XP on another laptop from time to time, generally when a customer requires it or I absolutely must run something like ActiveX controls on a web site. I try my best to learn how to best use the security features of each OS I use, naturally.
So, with that background in mind, its clear my views are somewhat biased. However, I consider myself very open-minded and will always give credit where its due. Heck, some of my best friends use Windows (but I do my best to talk them into OS X anyway).
True to UNIX. Its tough to be entirely fair here, since Windows isnt UNIX in any sense. But my point here is that Linux does follow the security features and capabilities it inherited from UNIX quite closely. In particular, the notion of an administrative (root) user that maintains and operates the system, and desktop users who only run the software on the system, is completely ingrained in most Linux distributions.
Now its true that many Linux users ignore these features and run all their software from a root-level account anyway, but thats a choice that theyve made. The system defaults to protecting the operating system components from its users actions (intentional or otherwise). That feature alone must account in large degree for the dearth of viruses and other malicious vermin on Linux and UNIX platforms.
Windows, on the other hand, started life as a single user system, with that single user being all-powerful. Although thats no longer the case, the general attitude can still be found in many Windows-based software products many of which just cant be installed and/or run properly without desktop administrator privileges. This is all changing for the better, but it took Microsoft far too long to adopt this default-secure configuration practice.
Qualitative score: Windows gets a D+ while Linux gets an A-.
Bummer of a birthmark Many of us no doubt remember Gary Larsons Far Side comic strip in which two deer are standing around, and one of the deer has a big bulls-eye target on his chest You get the picture.
Well, in many ways, thats the sad state of affairs for Windows users these days. Its true that phishers, virus writers, and other miscreants could target other operating systems, but by and large they dont.
As other operating systems gain market share, thats likely change, but by my thinking, Linux isnt going to be the next big target. So, until and unless that target birthmark finds its way onto another victim, its bummer of a birthmark time for Windows users. (Hint: the birthmark itself is your Outlook/Internet Explorer combination!)
Qualitative score: Windows gets an F while Linux gets an A.
User data confidentiality. All those commands that I grew comfortable with on UNIX (e.g., chmod, chown, umask) for protecting or sharing my data are in Linux and are easy for me to work with. Although the features are relatively on the light side as industrial strength file access control goes, the tools and capabilities are readily available and they work pretty darned well.
While its true that Windows has equivalent commands and GUI interfaces for protecting ones data, Ive always found them to be awkward at best, and generally defaulting to open (world read-write) unless I go out of my way to lock down my own files.
Now, to be fair, I have to point out that the Windows NTFS file system has a phenomenally powerful set of features when it comes to file/directory access control and auditing. Indeed, when used properly, an NTFS file system can be very tightly configured to the needs of a user or application. The problem is that so few people do it or even know how to do it.
One other factor here is the availability of third-party file and disk encryption products. Here Windows clearly has the upper hand, and Im noticing more and more corporate laptops employing disk encryption as a standard configuration item. (I guess we can thank the likes of the U.S. Veterans Administration for that.)
Qualitative score: Windows gets a B- while Linux gets a B+.
Patch practices. Here Windows shines (finally). With Windows Update being readily available and running by default as of XP SP2, things are finally looking up for Windows users. From the perspective of an end-user seeking to keep his computer up to date with the current vendor-supplied security patches, Windows sure does make things easy.
Linux isnt too far in the distance, though. Most Linux distributions do a respectable job at automated security patch management. Many are opt-in, however, and the interface varies from one distribution to the next, making it a bit less easy to do things properly for a typical end-user.
The elapsed time from notification to patch, on the other hand, can vary substantially. Overall, and again from a highly subjective viewpoint, I give a slight edge to Linux, but I do feel that Microsoft has made great advances in the past few years.
Qualitative score: Windows gets an A- while Linux gets a B+.
With these scores in mind, I have absolutely no doubt that my data is safest on a Linux system than on a Windows system. And that ends my three-way comparison of the user-level security in OS X, Windows, and Linux. Ive tried to be as fair as I can, and have given credit where each is worthy of it and wrath where its not.
My overall winner remains Apples OS X, which offers the best of both worlds (UNIX and Windows-like) to me. I have the native desktop apps that I need to do business, and underneath it all is the familiar face of UNIX. Im at $HOME.
In closing, I should also say that a person determined to keep her data secure can certainly use any of these three operating systems successfully. Theres enough good in the worst of them (and bad in the best of them) that what matters most is really learning how to use all the security capabilities of the OS youre most comfortable with.