Ubuntu Linux, Day 24: More Secure By Default
30 Days With Ubuntu Linux: Day 24
As I have gone through the 30 Days With Ubuntu Linux experience--and especially the past couple days as I have toyed with Wine and trying to get Windows software to run within Ubuntu--I have seen ample evidence of the security features of the OS. Simply put, Ubuntu Linux (and, I assume, Linux in general) is more secure by default.
That may seem blasphemous coming from a devoted Windows user. The reality is what it is, though.
Here is what I have seen. First--the OS defaults to a timeout of sorts that requires me to enter my password again to wake the system up if I step away for more than a minute or two. Every time I want to make a change, or install some app from the Ubuntu Software Center, I have to enter my password again to grant permission--a' la the UAC function in Windows.
Granted, I can get that kind of security in Windows as well. UAC is already there to require a password to elevate privileges in order to install software, and I can set the Power Options and screen saver settings to make sure the system automatically locks itself down after a couple minutes of inactivity and requires me to log in to resume.
However, Windows doesn't have anything to compare with the behavior that I found so frustrating the past couple of days. In Windows, there are file types that are designated as executable, and those file types run by default (the aforementioned UAC behavior notwithstanding). Ubuntu Linux doesn't recognize any "default" executable file types, though, and requires that you make a conscious effort to modify the file permissions to mark the file as executable.
Microsoft could implement similar security controls, but if the backlash against UAC is any indication, there would be a revolt. As a matter of fact, if you happen to be one of those who deplores UAC, Ubuntu Linux is not for you. It may be less convenient, but requiring deliberate action by the user before a file can execute would prevent virtually any attack, and makes the OS more secure by default.
That said, I don't believe in impervious systems. We're talking about open source software--meaning attackers have access to the source code to identify and exploit holes. A platform like Ubuntu Linux has hundreds or thousands of developers working on it, though, and holes would ostensibly be identified and fixed before an attacker can exploit them. But, not every open source application is developed with the same degree of professionalism or level of community support--so there may still be weak points.
Linux enjoys security by obscurity by virtue of its miniscule market share. Basically, even if it is technically possible to write a Linux virus or worm , most attackers would never bother because the potential pool of targets is too small to be worth it.
However, that doesn't mean that an attacker with a specific target in mind couldn't find a hole to exploit in a precision attack. The danger lies in being overly confident about the security of the Ubuntu Linux platform to the extent that it makes you an easier target because you are too oblivious to consider the possibility of an attack.
It may not be invulnerable, but I can't really argue with the fact that it is simply more secure by default.