Top 5 security Myths about Linux; and their realities

Top 5 security Myths about Linux; and their realities

Linux, unfortunately has been long surrounded by myths. Despite the speedy adoption of Linux as mainstream operating systems for enterprises particularly, the common misconceptions about Linux seem to continue. The post enlists five traditional myths about Linux Security and attempts to debunk each; discussing real facts.

There exist mainly two schools of thoughts regarding security of Linux. One group that assumes ‘ Linux is Virus Proof’ and the other, advocating a completely contrary thought i.e. ‘Linux is more insecure (when compared to contenders), as it makes source code available to everyone’. Let’s investigate in detail.

Myth 1: Linux is insecure, as it makes source code available to everyone.

Reality: While this is true that Linux makes Source code available to everyone to view and inspect; it is this open source nature that makes Linux superior to any proprietary OS in terms of security. As the source code is available to anyone, thousands of develops around the world scrutinize the source code for security pitfalls. Imagine, even at this very moment number of people are reading and making the code better. It is far more easier to spot and fix security issues on Linux than on any closed-source platform.  Additionally, if any security vulnerability is found on closed source platform, it cannot be readily altered to make the software secure. On the contrary, in case of open source software, if any security hole is discovered patches are created as quickly as possible (usually within hours) therefore the security flaw doesn’t last for long enough to be exploited.

When asked about the lack of viruses known for Linux platform, the proprietary camp claims that Linux is not very popular to have viruses. This comprises another common Myth. Interestingly, it’s not only the proprietary camp to believe that Linux lacks virus because of its minimal market share, alot of literature on the internet and in books we find this misconception.

Myth 2: Linux lacks virus because it is not very popular.
Many say that the purpose of virus writers is to bring massive destruction. As Linux does not run on as many computers as MS’s Windows does, virus writers only target Windows to damage more and more stations. While this might not be completely wrong, it’s not completely true too.

Reality: Linux might not run on many desktop computers, BUT it runs on most computers in very important places. All super computers run Linux. Many notable governments have approved policies moving governmental computers to Linux. Additionally there was a huge enterprise shift from Proprietary OS to Linux in last 2000s recession. That means Linux, too is a very charming opportunity for hackers; rather hackers would more likely to write virus for Linux than for Windows if they want to bring even more destruction (especially destruction in terms of quality then quantity!). Therefore, the myth can easily be ruled out. Another reason that the proprietary camp gives for lesser known viruses for Linux is that Linux is an advanced OS and can only be used by professions who know how to protect their systems.

Myth3: Linux is for experts who know how to protect their system and therefore Linux does not get viruses and it generally thought as secure

It is also a common misconception that because Linux is for experts, they know well how to deal with viruses. On the other hand, Windows, as being a simpler system is usually used by even non-technical people who are naive enough to get virus and destroy the whole system.

Reality: The concept ‘ Linux is for experts’ is itself a myth and quiet out dated now. Linux is now one of the friendliest OS out there that can be used by novice and experts both. There are Linux based computers dedicated for elderly (heard of the Wow computer?). So to say that Linux is for experts is not true. Linux is for everyone. Consequently to say, the Linux doesn’t get virus because of its technically strong to defend OS is wrong.

What makes Linux secure is neither its lack of popularity nor its technically strong user base. It is the strong architecture of Linux which makes it secure. On Linux systems users do not have “root” privileges; instead they possess lower-level accounts. As a result even if a Linux system is somehow compromised, the virus shall not have root access to bring about any major damage to the system. Windows supports exe files, a format in which virus are transmitted. Linux, on the other hand does not support .exe files. Linux uses configuration files in place of registry files hence closing this door for virus. For the Linux servers now, Linux servers employ several level of security. Linux servers are updated more often. To conclude, it’s the Linux architecture that is different from that of contending proprietary OS which makes it secure. That is to say if Linux is adopted in main stream desktop computing, I am sure that Linux will prove to be more strong and less incline to get virus than contending OS.

Does that mean Linux is virus free? This comprises of our third Myth.

Myth 4: Linux is virus free

Reality: while Linux is very secure and superior to its proprietary counterparts, it’s not virus free. There are a number of viruses known for Linux. I have compiled popular known viruses in this post. It may be noted that all most all the viruses known for Linux are non-destructive in nature (but not non-existent)

Myth 5: On Linux system you don’t need an Anti virus.

Reality: Yes indeed it’s very much true that when you are running Linux OS you are secure. Never the less one must realize that no OS is 100% secure. While this might not be very important for desktop/home users; enterprise sector which use Linux, may require anti-virus. Occasional scanning, backing up data and checking your system for malicious software does not bring harm to anyone. This does not mean you need to spend substantial amount of cash on expensive anti- virus softwares. Any free or open source and free antivirus would do justice to your security!

  • Chrisjones

    A good read. Nice work with the article.

  • Anonymous

    You are correct its very true that desktop Linux versions are safer than the server versions, but also the Linux servers are safer than the windows servers. :D

  • Ahmed Qorrow

    I am running Linux with many distributions since 2001 and never got a virus. and I got approx 5 hangs per year .. I love this Linux :)

  • pieboy007

    very much true

  • Pingback: Linux | Pearltrees()

  • Tom

    Although the share is roughly around 90%, _all_ supercomputers _don’t_ run Linux. Although this might sound like nitpicking, I still think it’s worth pointing out.

  • guest

    Nothing really new here, though Windows users would do well to read it. Also, I think the article could be proofed by a native English speaker, or so it would seem. Good work though

  • Septimus

    They always base linux viruses not appearing because of popularity.
    But they never understand that linux has a huge server and supercomputer market share. A linux server virus would do the same damn thing on a linux desktop.
    So black-hat hackers have plenty of good reasons to attack any linux-based os.
    Many have tried to take down Facebook (which runs linux) and none have ever done it.

  • Steve Holdoway

    Point 1. Linux is inherently secure, as it understands the concept of users and groups ( MACs ) at the core of it’s design. However, as soon as you see some idiot write instructions like ‘chmod 777 *’, it’s been completely broken. There are way too many of these idiots developing software for linux.

    Point 2. Is absolutely correct. Virus creators by and large do it for a living, so the size of the target audience matters = sales! Look at the rise and subsequent remarketing from Apple when their market size made them a profitable target.

    There are orders of magnitude more Windows desktops than there linux servers. If linux really hits the desktop, then it will become a target.

    Point 3. Of course linux is complex! ESPECIALLY when coming from a desktop – based environment, where there is no real security apart from nag screens every now and then, and the fact that they’re designed to be multi-user. There are other fundamantal differences ( from trivial ones like case sensitivity up ), but if your linux machine is being used by more than one person, then whoever looks after it had better know what they’re doing.

    Point 4. The original worm was designed for unix in 1988, at a time when windows was unuseable ( 3.0 came out in 1990 ). There are always a few doing the rounds. The reason they’re not a real problem as yet is back to point 2. No money in it. In addition, there are plenty of attacks of other sorts that occur – loading of malware onto web servers is a very common example.

    Point 5. Yes, you’re correct. I don’t run any, UNLESS providing shared resource for windows users ( via samba or mail ), in which case everything gets scanned. I also monitor my linux machines for any changes – whether it’ an increase in CPU use, decrease in disk space, etc for signs that some of the above attacks may be occurring.

    Whilst your article may well be valid for a hobbyist, you do include web enabled servers, and as such you do put it into a completely different environment where you’re instilling a false sense of security.

  • Anonymous

    On the virus issue: When Linux downloads a file, the executable bit is automatically disabled (if not zipped or tarballed). If the user is stupid enough to turn on the bit, they would then need to run the virus as root to damage the system beyond their home directory. If a user is qualified enough to perform those tasks, they are likely wise enough to refrain from doing so.

    Most Linux software comes from well known repositories. To install software from a random download (as Windows users do), a user would need to run a package manager as root. This is more likely. That is how Android users are lured to download infected versions of programs from shady stores. The phones get infected because we can’t patch stupidity.

    Servers are often targeted due to poor permissions or vulnerabilities. Many a PHP script has been inserted into an Apache server. These scripts typically target IE vulnerabilities, infecting Windows clients. Experienced admins can mitigate many of these issues with consistent patching.

  • AnGeLoS

    Nice article BUT 4 out of 5 Myths talks about viruses. Shouldn’t be just one myth for that and not 4? :P

  • Star Picket

    Re Point 1: I How true is it that “thousands” of developers around the world look at every bit of Linux code? Perhaps each bit of kernel code but what about the packages that I download and install? Are they also checked by “thousands” or is it just the developer and a few mates? What about packages that are promoted on Linux blogs that encourage users to add a PPA then install a package. How safe is that process?

    These are genuine questions I have and would love to hear an an informed answer.

  • theoldfellow

    Probably the biggest headache security-wise for a Linux user is the passing-on of viruses to Windows users. Its necessary to scan data passing through systems, not because they might infect the system, but that it might propagate infection elsewhere.

    Myth 6: Linux users are more ethical than users of proprietary OSs.
    True. Well, here anyway.

  • JFM

    Do you really believe that funny program you downloaded cannot do much harm? First of all: when you install it (typically as root) the package manager (or make if you are compiling it) will run installation scripts. These scripts could be using some program in the package. And you are running it as root remember? Second of all: When you install the whiole thing (be it by configure; make; make install or through your faithful package managers) you could end with some setuid root programs.
    Third: I am far less concerned about programs infecting others (that can be solved by reinstalling from a DVD) than I am about programs removing or altering files in my home directory (files owned by me, remember?) or sending confidential information to unsavoury people. And this will not be prevented by the standard permission system. You need Selinux, parameter it yourself to be absolutely paranoid: the standrd settings from your distribution will fall short and later administer SElinux permissions as a complete paranoid instead of allowing a new program having general access to your home directory.

  • PNA

    One reason people say Linux is more secure and virus-free is that “root” is better protected in Linux than “Administrator” in Windows. But I am wondering if that really matters? If the purpose of a virus is to run a bot that sends out spam-messages, that does not need root, but can run perfectly well in user space. Even if the operating system is not compromised, it is still possible to run nasty stuff as an unprivileged user.

  • Pingback: Top 5 security Myths about Linux; and their realities | Thelinuxgeek()

  • brentrbrian

    No experts required. I install it on the machines of friends and relative to make the AFTER HOURS TECH SUPPORT CALLS GO AWAY, FOREVER.

  • Albin

    Interesting piece. There’s a bit of a contradiction in that the most attractive Linux targets in enterprise and government are in fact run by expert professionals who are paid to harden the system.

  • neb

    Yes, even a noob can install Linux these days, but how many do ? In my experience none. Most of them don’t even know what Linux is. So it’s true that the percentage of computer illiterate users is much much lower in the linux community.

  • Toad

    A bot is not a virus, although both are considered malware. A virus can replicate itself in your system, infecting other files and other computers, whereas a bot cannot do this. Sure, it’s possible to run a bot in user space, but this doesn’t corrupt your files, replicate itself to neighboring computers, or otherwise cause a problem that you cannot resolve with a few simple commands.

    As the article said, Linux isn’t 100% malware proof, but if it makes my job easier, it’s still a consideration worth serious thought.

  • Tom :)

    Hi :) Windows admins keep having to worry about various different types of malware and the different types of problems they create and the different ways of trying to get rid of them. It’s like Eskimos have 7 different words for “snow”. In linux-land there are so few issues that just one woolly term is enough.

    For example, on Windows you kinda need to run an anti-virus and/or be prepared to reinstall the whole OS (or chuck the machine and buy another). On linux you don’t really need to run one but it’s wise to do so. The only useful thing about antivirus on Linux is that it can scan the Windows side faster and is far less likely to be knocked out by whichever viruses are lurking in Windows.

    So the myth that “You don’t need an antivirus in Linux” is a little misleading and is a completely separate issue from the myth about the amount of malware in Linux. There are about 300 known malware programs that can affect Linux but you really have to tend them carefully or they die out to fast. So you have to deliberately set things up to try to keep them around. For Windows there were about 800,000 the last time i looked into this and most don’t need very much encouragement at all. However, it’s still useful to have an antivirus in Linux because Windows ones are likely to be the first thing that gets knocked out by any half-decent virus.

    Regards from
    Tom :)

  • Tom :)

    Hi :) I suspect that Linux servers are safer than Linux desktops. Often they don’t even have a gui for point&click users to poke around with whereas almost everything i do in Ubuntu is point&click (or click&drag).

    It does seem that Linux desktops are safer and more robust than Windows servers.
    Regards from
    Tom :)

  • Tom :)

    Hi :) Also extremely unlikely to find a noob that can install Windows. Some people say they prefer Windows because “everything just works” but they have no idea of the amount of trouble they would have installing Windows and all the programs and updates and reboots and further updates and more reboots and hunting for drivers.

    With a Gnu&Linux such as Ubuntu it’s pretty much just stick the Cd in and reboot and then just keep clicking on “Next”. All programs they are likely to need get installed at the same time. One round of updates does all the programs too. It’s a load easier than installing Windows.
    Regards from
    Tom :)

  • Tom :)

    Hi :) Experts get paid to do the least amount of work possible. Gnu&Linux takes less time to get an extremely robust system and needs less routine maintenance which can be done remotely more easily. So, massive increase in quality and massive reduction in costs.
    Regards from
    Tom :)

  • Tom :)

    Hi :)
    1. Mistakes or foolishness are always possible but is likely to be quickly spotted and corrected. A similar level of foolishness in proprietary code (such as in Windows) is harder to spot since almost no-one is allowed to look at the code and even fewer allowed to see how it interacts with other secretive code.

    2. Scale. A virus affecting 1 desktop probably creates problems for 1 or 2 users. A virus or attack affecting 1 server is likely to affect hundreds or thousands or even millions of people. So which makes more economic sense? So why is it that we hardly ever hear of issues affecting servers but hear about desktop security problems all the time?

    3. Blatantly wrong. Check your facts

    4. Scale again. There are always thousands of Windows issues doing the rounds but only a couple of Gnu&Linux ones. Most on both sides can be discounted even with very half-hearted efforts at staying reasonably up-to-date. The rest was a repeat of point 2.

    5. Obviously it’s better to be safe than sorry and it’s very easy to monitor such things in Linux and run antivirus. It’s not like Windows antivirus causing desperate slow-downs.

    Regards from
    Tom :)

  • Tom :)

    Hi :) I would guess that people only look at things they object to, are suspicious of or stuff they are curious about or that they like a lot and want to learn from or copy or just admire the elegance of. Probably there are a few out there just randomly looking at any code for no real reason except that they can.

    So, potential issues probably attract more attention than stuff that just keeps working. And that’s kinda where we want the focus anyway right?
    Regards from
    Tom :)

  • Drunken Economist

    You think the main purpose of a virus is to cause problems? You, sir, are most certainly NOT an economist.

  • 2833420

    Linux is a kernel. Some Windows fanboys are lying to theirselves that Linux is a complete operating system, in order to direct their hate on something.

  • Tryfon Farmakakis

    Very good post. Unfortunately it lacks technical depth and leaves important issues without much elaboration. And man, your English. They gave me some headache… :)

  • fedora17user

    ikr i love linux becuse i dont get a virus every time download something from a site that i dont know

  • Marcus

    > “root” is better protected in Linux than “Administrator”
    The “root” user is NOT the equivalent of the “administrator” user. Actually, the “system” user is the “root” equivalent.

  • Look Closer

    yea. I’ve even known of people who had a computer with Windows on it and they didn’t even know what Windows was. I tried to explain to them that there are other operating systems that can run on computers.. Like Un|x, Linux or even MacOS. They could not comprehend what I was talking about. To them a computer and MS Windows was a single entity

  • James Ruesch

    Great article! Thanks! I’ve really enjoyed learning the basics of Linux the past couple of years. While I’m not necessarily a “noob,” I’m definitely no expert. Thanks again!

  • Apurba Paul

    Really very good post, tells lots of thing about linux security. Thanks

  • Palmer

    Well, “in your experience” doesn’t mean that’s how it always is. I
    know several people who found out about Linux and wanted it for various
    reasons… These are very non-technical people I know who just wanted
    something fast that just worked for basic use (browsing the web and
    email). So there definitely are people out there who are like that.

  • Palmer

    It is very true, actually. A huge portion of Linux security is in user permissions. A regular user does not need privileges to send spam messages, so that would be an exception. However, that doesn’t mean that’s the only example or that it is always the case.

    Something that could alter system files, do damage to your system or install software to spy on you would need access to root.

  • Palmer

    There “could be some program in the package” but that is why you don’t download from shifty third-party sources or install a package with an unknown code or source. Simple as that.

  • Palmer

    Yeah. It is a nitpicking a little but it’s true. Saying “all” and “almost all” are two different things, so you are right. A huge portion do still run Linux though.

  • Palmer

    I was thinking the same as I read through this. Good article and everything but some spelling mistakes and errors that kind of made it hard to get the point across.

  • Palmer

    When people say “Linux” in this context of course they are talking about the system. Yes, Linux is a kernel, but add a file manager, an interface, utilities, etc. it becomes the system itself. Of course there is other software and it’s not just Linux, but it’s a shorthand way of saying it. Windows fanboys do this because they don’t understand what it really means.