[ryanlol]

This guy is a downright idiot if he thinks that he has any more control over his keys on desktop Linux without actually auditing all the source code himself.

The idea that ElementaryOS is less likely to steal your coins than Windows or OS X is simply laughable.

[cmcd]

We already know Windows has some pretty excessive telemetry, it is not unreasonable to assume this or other elements of the OS can be exploited to gain control of a wallet.

At least with Linux we have thousands of open source developers keeping an eye on things, chances are much higher that an issue would be caught with Linux since Windows is closed source.

[falcolas]

> At least with Linux we have thousands of open source developers keeping an eye on things

A bit of pithy sarcasm for your morning: Those thousands of eyes worked so well with OpenSSL, didn’t it?

Those eyes are less vigilant than you might think, especially when the eyes aren’t being paid to monitor a particular chunk of code.

[sudosysgen]

Yes, they worked pretty well for OpenSSL. The issue was found eventually. In a proprietary system, it may have been there forever.

[jcranmer]

You're discounting the risk that, because it's open source, everyone assumes that someone else has done the security analysis. That is precisely what happened with OpenSSL--everyone assumed, since it's a big open source package, that somebody was keeping on top of this sort of issue, but nobody was.

That there have been two major OpenSSL security fumbles (first was the Debian OpenSSL fiasco, second Heartbleed) sort of suggests that the value of "many eyes" for ensuring security is vastly overrated.

[pbhjpbhj]

How's that different to MS Windows, we assume the code is good, but some of the errors/oversights that crop up beggar belief.

[turc1656]

It's not different. I think that's their point. FOSS like Linux doesn't automagically make it "safer" than proprietary systems like Windows.

[falcolas]

It was not found by general developers doing security audits, it was found by a security company doing fuzzing attacks against SSL libraries.

And not to mention that Windows - the explicitly called out alternative from this article - makes their source available for security companies (as well as general developers who sign up for their MSDN program).

[ryanlol]

> In a proprietary system, it may have been there forever.

Why? Heartbleed was discovered by fuzzing the compiled binaries, not by eyeballing the source code.

Nothing prevents you from performing the exact same research on proprietary software.

[ryanlol]

> At least with Linux we have thousands of open source developers keeping an eye on things, chances are much higher that an issue would be caught with Linux since Windows is closed source.

That’s all utterly irrelevant when ElementaryOS doesn’t even offer reproducible builds.

Besides, source code access doesn’t make finding bugs much easier. Usually you’ll be auditing binaries anyway.

[hvidgaard]

Not to mention, you have to evaluate this in context. What would MS stand to lose if they actually did this? Far far more than whatever Bitcoin they'd be able to steal that much is certain.

But in any case, if you care about security, you have a hardware wallet and store the seed somewhere secure.

[cmcd]

It wouldn't have to be Microsoft exploiting this though, a few rogue employees that can modify their telemetry system could do this on their own. There is no external oversight for Windows but on Linux there are thousands of people looking at changes even if you aren't looking yourself.

[paulgb]

There is no external oversight to ensure that the compiled binaries in the Elementary OS iso match the published Linux kernel code, either.

[AnIdiotOnTheNet]

Linux Desktop isn't just the kernel, there's a lot of stack to exploit between that and the user, and history has shown that "many eyes" doesn't stop security problems from getting through. Hell, sometimes package maintainers introduce problems themselves independent of the developers.

That isn't even counting the hardware stack underneath your kernel. What parts of your machine were manufactured in China? Is Intel IME trustworthy? What about all those firmware blobs?

[ryanlol]

> there are thousands of people looking at changes even if you aren't looking yourself.

I’m sorry, but it’s really obvious that you don’t really know what you’re talking about.

Very few commits are looked at by more than a handful of people. If you’ve ever had any involvement in FOSS development you must know this.

[api]

ElementaryOS's repos were hacked a while back. The trojaned images didn't stay up long, but it illustrates your point. (Not singling out ElementaryOS... any software with a repo or updater could be trojanized, including software from big companies.)

[merpnderp]

I wonder what percentile of users have suffered financial harm on Windows versus Linux do to system insecurities. I have zero data on this, but history would imply Windows is far less safe.

[api]

In practice I would say Apple =~ Linux < Windows, though the latter can certainly be locked down if you know what you're doing.

However I think Linux's security is partly an artifact of a more techie user base. For a non-technical or too busy to be technical user I would say Apple offers the best security out of the box.

[fortran77]

A file that sitting on Windows that's been encrypted with a piece of well-audited encryption software is pretty safe. And if you want to be really certain, don't keep the machine connected to the internet except for software updates, and never while you're accessing your encrypted BTC archive.

[falcolas]

Windows is targeted more (not exclusively, however), due to its popularity. If everyone moved over to Linux for the "security benefits", Linux would be targeted just as heavily.

Both Linux and Mac users have been hit with ransomware.

[jcranmer]

The other factor is that the vast majority of Windows security administrators (i.e., random users) are incompetent.

In terms of the security of the operating system itself, Windows may well be more secure than Linux. Many Windows applications, however, are going to be much less secure than the OS--although it's not like Linux applications are stellar in this regard as well (e.g., Docker).

[falcolas]

Are they incompetent, or is the bar set so high that only trained professionals can be considered competent?

I believe the latter is true; I've seen some incredibly intelligent individuals fall victim to shady crap.

We (as in the entire software development community) need to lower that bar.

[ryanlol]

Vast majority of Linux admins are incompetent.

>Windows may well be more secure than Linux

This is very obviously the case if you look into the deployed exploit mitigation technologies.

[Piskvorrr]

Less likely...perhaps, but for all the wrong reasons ;)

That is, Windows is a target that's an order of magnitude bigger - of course there will be more attacks.

The kernel is auditable...maybe, possibly, theoretically, to a point - but what good is a kernel, when there's unauditable firmware between the OS and the hardware?

[vectorEQ]

this says it all :D LOL