The Linux vs. Windows Security Mystery
May 12, 2011 5:00 AM PT
Of all the many winning advantages Linux has in its favor, security is surely one of the more widely known examples.
Why else, indeed, would we see security experts in mainstream publications recommending it over Windows for online banking purposes?
That, indeed, is part of the reason it was so disappointing to see Linux get completely ignored in a recent NSA report entitled "Best Practices for Keeping Your Home Network Secure."
The report is filled with various suggestions oriented toward Windows and Mac users -- just as one would expect, given that they're by far the majority today. What stands out, though, is that for Windows users, the NSA simply recommends upgrading to Windows 7 or Vista, making no mention at all of the far-more-secure Linux option that's available.
More than a few ripples were created in the waters of the Linux blogosphere.
'NSA Says No to Linux'
Some interpretations seemed truly bizarre.
"NSA Best Practices Recommend Windows Over Linux For Security" read one headline on ITProPortal, for example.
Similarly, "NSA says no to Linux in best practice advisory" read another on TechEye.
This, despite the fact that Linux wasn't mentioned at all in the NSA report.
'What a Twist of Words'
Bloggers, as per their wont, made note of that fact quickly.
"Wow what a twist of words," wrote Ken in the comments on the ITProPortal story, for example. "The NSA article does not even mention Linux. What the NSA article says is this: 'Both Windows 7 and Vista provide substantial security enhancements over earlier Windows workstation operating systems such as XP.'
"So the NSA is really saying that the newer Windows is better than the old Windows. Duh!!!!" Ken added.
It wasn't long before PCWorld weighed in with an indignant, "Windows Vista for Better Security? I Don't Think So," and the conversation took off from there.
Down at the blogosphere's Punchy Penguin saloon, Linux Girl was bombarded with comments.
'Merely a Reflection of Reality'
"NSA recommending Vista for home security is merely a reflection of the reality of monopoly in the retail space," blogger Robert Pogson offered. "In the USA probably as few as 2 to 3 percent of users use GNU/Linux, so a recommendation is almost useless."
Those who are serious about security "are already aware of SELinux, a product of the NSA," Pogson added. "The NSA is merely recommending that folks move on from XP, a poor OS poorly supported by M$. Folks who would heed that advice probably do not even know GNU/Linux exists."
It is "possible that some of M$'s donations may also have suppressed mention of GNU/Linux," Pogson concluded. "But who knows?"
'The Security Swiss Cheese of XP'
Consultant and Slashdot blogger Gerhard Mack took a similar view.
"You can't knock them too badly," Mack agreed. "The best numbers I have seen show Linux at half the numbers of Apple -- a small number to begin with."
The NSA "has sponsored Linux security projects in the past, so they are definitely not anti-Linux," he pointed out.
Vista, meanwhile, "brought along some features to allow more apps to run as non-administrator and some features (UAC) to annoy people who buy products from people who can't be bothered with good security patches," Mack added. "Win 7 is just a more stable/less annoying Vista, and I'll take either of them over the security swiss cheese of XP."
So, "I'm with the NSA on this one because the sooner XP is just a memory, the better off we all are," Mack concluded.
'You Need to Know What You're Doing'
"The problem with Linux is you really need to know what you're doing for it to be secure," asserted Slashdot blogger hairyfeet.
The NSA's recommendations, then, are "no surprise, as they know that 99.995 percent of the population is not CS grads or kernel hackers or programmers," hairyfeet opined. "These people will NEVER use CLI -- hell, Windows' control panel scares them. You honestly think they are gonna learn Bash?"
Hyperlogos blogger Martin Espinoza wasn't so sure.
'Irresponsible at Best'
"When I see the federal government recommend the products of one of its actual constituents, I am annoyed but not surprised," Espinoza told Linux Girl in a link-filled email. "Remember when Bush's boy Ashcroft gave Microsoft a free pass after the DOJ found that they had illegally abused their monopoly position? (And have you noticed where Ashcroft is now?)
"It comes as no shock to see the NSA failing to promote Linux when the federal government is clearly a friend to Microsoft, and vice versa," he said.
"And let us not forget the well-foreshadowed speculation that Vista may contain an NSA back door," Espinoza pointed out. "Since there is no way for an independent reviewer to know that the code they are reviewing is what is actually being distributed with Windows or via Windows (or Microsoft) Update, clearly it is irresponsible at best to utilize Windows in any case where security is important."
'NSA - New Spending Authority'
Barbara Hudson, a blogger on Slashdot who goes by "Tom" on the site, wondered about the target audience for the NSA's report.
"Home users will never even see this, never mind read it," Hudson explained. "Business users? If they haven't switched by now, a pdf bearing the NSA's imprimatur isn't going to count for a hill of beans next to the considerations of software that can't be migrated from XP, or the costs and time of migrating desktop users to a new version.
"Besides, most of those installations will be taken care of over the next few years by simple attrition or migrating the users to tablets," she added.
"So who *was* the real target audience? I would have to say it's the boss of whoever at the NSA ordered this written, to 'show they're doing something' so they can justify their paycheck," Hudson suggested. "After all, haven't your tax dollars always been used for NSA -- New Spending Authority?
"Now please excuse me," she concluded, "while I go tell the neighbors that those black helicopters are just a coincidence."