cross-posted from: https://piefed.world/c/uncommon/p/1089778/linux-is-actually-very-vulnerable-to-exploits-and-it-s-showing-with-high-value-vulnerabi
I hate when people keep repeating the myth that Linux is more secure than X OS without any understanding of how much Linux gets exploited.
On the other hand, FreeBSD rarely suffers from wide security issues.
Overall, I don’t think anyone should repeat the myth that Linux is secure.
And at least if they gonna recommend Linux, they better recommend a good distro with SeLinux, hardened kernel and hardened OS.
FreeBSD buffer overflows go brrrrrr, and I say this as lemmys official™ FreeBSD shitposter
I just had some great hamburger helper. Cooked some onions with the meat, add some extra cheese and a little mustard to enhance that cheese flavor. A few more noodles. Incredible.
Me when I’m not a professional with no understanding of his things actually works and I accidentally reinvent “computers insecure, avoid them at all costs for max cybersec”
OpenBSD can, objectively, do only a fraction of what Linux can. As a result, it is expected it will have only a fraction of vulnerabilities.
“I hate when people keep repeating the myth that Linux is more secure than X OS without any understanding of how much Linux gets exploited.”
Very few operating systems are secure out of the box. It’s up to the users to make it secure. It just so happens to be that Linux is the easiest to make secure, therefore I’ve always seen it as such when done right. Not to mention, I can know exactly how everything works rather than the blackboxes of Win or Mac.
It’s impossible to know what’s happening on macOS. The number of open processes that are running on their computer is mesmerising, so the user feels disempowered. I dream of daily driving FreeBSD
It just so happens to be that Linux is the easiest to make secure
Could you back that up? Thanks in advance!
I have template iptables/nftables rules on my devices on the network that I can just copy and paste to a machine to have a firewall that works (with tweaks specific to that device). With it I can tell it to send all logs of my choice through syslog-ng to my server just by installing it and telling it the destination, allowing me to have (already made) alerts and dashboards on every device on my internal network. My router runs Linux (openwrt) and allows me to do something other routers can’t do because I’m able to add a module into the kernel: permit switch-level firewall access. What this means is I don’t need (but do still have) VLAN to restrict traffic between devices. I can block firewall access completely at the router level before a device is tweaked to also add additional security (e.g. helps prevent my smart tv from probing every device on my network to gather information. Or if I purchase a malicious hardware online, it won’t know the rest of the network exists because the router doesn’t tell it unless I say it’s okay).
That’s firewall stuff. System security: can compile and modify the kernel to just the modules and such I want, lowering the scope of issues from a kernel level vulnerability. I can be very granular with file and directory permissions with a single command in the terminal. I can easily track file metadata changes down to just about anything you can think of with simple tools, like aide. Python scripts through cron and inotify can help me monitor when something sus happens on my machines.
Most of all this being done on Windows or Mac would require extra effort to work correctly, and not to mention probably cost money for software that can do the same but isn’t free. Also not entirely sure a router can be setup on either of those OS.
So I have openwrt also. I setup a wireguard interface for a guest zone. Now I need make a firewall that only allows traffic from the VPN. Next I need a VLAN, but you said you had one setup. My openWRT One only has 2 ETH ports. Did you install openWRT firmware into a VLAN switch to be able to do that?
I suppose I could have one VLAN. I was going to just plug the router into a managed switch later.
What does it mean to “make Linux secure”? What does secure mean to you (genuine question). I see people say they can make Linux secure but from what kinds of attacks. I think madaidan’s blog explains why you can’t as an individual fix an issue with the entire ecosystem, or fix the kernel of its inherent security flaws https://madaidans-insecurities.github.io/linux.html
I think “good security” in my personal opinion means that even if you try to run a malicious app, it either crashes out right or can’t do anything because it doesn’t have the permission to.
One thing that I think is very misunderstood is that messy or extremely large/dense code can be very hard to understand, even if you have the source code. Like systemd, it is several million lines of code and is very tangled together. Is it that much better than a blackbox if no one can audit the whole thing (unless you are a massive team)? I do think it is better to have source code and documentation, but vulnerabilities arise from unintended interactions in the code. The more code there is, the higher the chance of this happening.
My response to the other person kind of explains some of the things I do to keep my devices secure. As for what it means to me: being able to control everything to be able to define level of access. I try to treat every device on my network as though it’s already compromised. How can I block the scope of the devices from spreading on the network? How can I limit the scope of damage for what’s available on the compromised device to a minimum? Heavy firewall configurations help limit the devices spread to. Encrypting private data such as contracts, government docs, etc into their own containers or partitions helps limit leaks. Alerts and dashboards on unexpected changes of any devices allows me to react quickly, of automation hasn’t already reacted for me.
You’re right in the fact I’m not going to look at millions of lines of code for many tools and such I use. It doesn’t mean I don’t look though. Being given the option to look at what I’m running is always better to me than not having it, in my opinion
much smaller target so far fewer people are looking for holes in bsd, subsequently there are fewer reported ‘issues’.
and if you tasked all the persons and organizations looking for holes in linux to do the same to bsd…
this ⬆️
also it is a gud thing we are finding exploits so that we can fix them ; theres currently no OS with zero exploits, the fact that none being found is concerning bcz nobody is checking and there might be some bad exploits in them…
Sometimes I wish people would back up their factual claims with numbers and studies.
Also: FreeBSD phone, when??
Thanks for the link! But I’m afraid it doesn’t tell me much. a) FreeBSD isn’t even on the list, so I don’t know the numbers to compare it to. and b) there’s things like survivorship bias. Looking at numbers like this is literally the textbook example of how to do it the wrong way. You have to do statistics the proper way around. For all we know by those numbers, Linux could be the best battle-tested OS in the world. I mean they fixed 3 times as many vulnerabilities as Microsoft did for any of their products?!
Interesting that this chart separates the SKUs on the Windows NT kernel but lumps all the Linux kernel stuff together. I have to imagine that this isn’t intentional and it’s just an artifact of how they collect data.
This seems like a better resource for tracking a specific product over time than comparing between them. It’s also worth mentioning, as the other person pointed out, that the Linux kernel is the most audited codebase of all time, so that likely also plays into this a bit.
There are ten thousand Linux distributions—some of which are shit—and only one FreeBSD.
The amount of different distros is mesmerising. On my previous laptop, I wanted to use Linux but I wiped and installed more distros per day than the amount of hours I used it.
Each had its drawbacks: systemd, snapd, no HDMI support, etc. And Gnome would just freeze in the middle of presentations
Sounds like you speedrunned distro hopping and used anything but the stuff people actually end up using. I recommend not to look at distros but the base OS. Distro is just a bunch of things on a base. Also I’ve never used Gnome, but friends who have used it eventually switched to literally anything else.
Also, never expect things to be 100% plug and play and then complain about them with no research. There is always a limit with every software. And there are always resources and guides.
Of course it was my mistake that the HDMI port didn’t work with KDE? On arch linux. I was using it wrong
no HDMI support
What distro doesn’t have HDMI support?!
Sure, let’s lump all distros into a pot called “Linux.” A vulnerability in one must mean a vulnerability in all.
i’m glad to see more bsd stuff here and dissapointed to see the redditors downvote it nothing.
Linux isn’t inherently secure, it never was, just unpopular. Now that’s changing, *BSD becomes the safe heaven.
