Replying to Avatar sommerfeld

Security in linux derives from minimalism. All other OSs have a bunch of software and services installed by default.

You can make a distro as minimal as possible and harden it as much as you can.

Minimalism also makes it easier for the user to grokk the whole system and better understand how to defend it. When you use a more "secure OS" you're essentially relying on a complex blackbox to protect you, it's "custodial" security.

Yes, linux security hinges on the fact that the user is expected to know what he's doing so that he does not shoot himself. That's a valid criticism but does not make it intrisicly insecure, just not noob-proof.
Avatar
<old>cypherhoodlum 2y ago

True, but the article points out multiple architectural flaws which cannot be resolved by "manual hardening". It's pointed out that knowing how syscalls and such work helps of course with sandboxing applications manually, but that isn't enough with all the unpatched vulnerabilities in the kernel itself.

Reply to this note

Please Login to reply.

Discussion

Avatar
sommerfeld 2y ago

Every system has "architectural" flaws, 0days and CVEs, that's just a normal day in infosec.

What matters is in practice and in the wild. The fact most internet infrastructure uses Linux is not some collective delusion based on a "common security misconception".

It's years of practical experience at play. If they were really better off using some other OS, the free market would guide it towards that.

Avatar
<old>cypherhoodlum 2y ago

That's a very good point. Even if so many kernel vulnerabilities are known but just not fixed like the article claims. And even when there supposedly are teams who can penetrate into any system on the globe if given enough time, that shouldn't be on the threat model of 99.9% of the people. I think the most prudent action for the security oriented pleb is to just start using Qubes and some airgapped cold storage method.