Why Switching OS Platforms Is Not a Security Fix
It has been a rallying cry against Microsoft Windows for years: to avoid malware and security issues, just stop using Windows. The mantra has traditionally been embraced by both Mac and Linux users, but as Mac OS X users deal with the fallout from the Flashback malware attack, some Linux supporters are turning the tired attack even against the Apple OS.
Admittedly, the Mac OS X platform is realizing some of the negative consequences that come with mainstream adoption. The rising prominence of the Mac OS has made it an inviting target for malware developers. Switching operating systems is not the answer, though.
Granted, Linux is much less likely to be attacked by malware. But, that reality is as much or more a function of the relative obscurity of Linux as it is a function of the Linux OS itself. Being less targeted is not the same thing as being more secure.
It’s no secret that I’m not confident in Linux as a mainstream desktop OS. I like Linux, and I think it’s a great operating system, but its strength is also a fatal flaw when it comes to broader adoption by consumers or businesses. The diversity of Linux distributions makes it virtually impossible to even define what a Linux desktop is, or get any consensus that hardware and software vendors can rally around.
But, this is not about Linux. This is not an indictment of, or commentary on Linux as an OS--or even the relative security of Linux. This is about the silliness of suggesting a platform switch as a security solution.
The strategy reminds me of the “you’re holding it wrong” approach Apple took in responding to the iPhone “AntennaGate” issue, or tips to disable location services or turn off WiFi capabilities as a “fix” for poor battery endurance on a smartphone. Limiting functionality or using it differently isn’t really a fix, and neither is switching operating systems.
Suggesting that users switch to Linux as a “fix” for the security issues faced by Windows or Mac OS X is a little like suggesting that users buy a Honda vehicle as a “fix” for Fords being stolen more frequently, or suggesting somebody switch banks because one bank has been robbed less than another. Linux, Windows, and Mac OS X are all operating systems, and they each have pros and cons--but they all have security weaknesses.
Is Linux inherently more secure? That is debatable--as evidenced by the frequent debates on the subject. There are certainly some things about the core operating system that may make it harder to exploit with some attacks or malware. But, the “most secure operating system” is the one the user is most familiar with so they know what security controls are available and how to use them.
Dave Marcus, director of advanced research and threat intelligence for McAfee, points out that the security model of the Linux OS won’t necessarily protect it against common malware attacks. Phishing attacks, Trojans, and other malware exploits that target data can hit the jackpot just fine without having to escalate privileges or obtain root access.
Security is more a result of user awareness and behavior. Risky behavior is risky behavior regardless of the operating system.
The reality is that Linux is not more secure. It is simply less targeted. The fallacious belief that it is inherently secure is the same sort of faulty logic that’s getting Mac users in trouble now. The Mac culture has been conditioned that security is not an issue, and now that the OS is being targeted by malware attacks the users are unprepared to recognize or respond to threats.
The OS itself is becoming increasingly less relevant anyway. The Flashback attack exploits a Java flaw. Many malware attacks go after Adobe Flash, and other fairly ubiquitous applications. Third-party software is often the weaker “low-hanging fruit”, and cross-platform tools like Java and Flash offer a wider potential pool of victims.
Running away to a more obscure, less targeted platform is only a viable solution as long as the platform remains more obscure and less targeted. Consumers and businesses have to face malware threats, and find ways to secure and protect PCs regardless of what operating system they’re running.