Hacker News new | ask | show | jobs
by jmau111 1249 days ago
This is not what I mean actually. Windows simplifies some procedures, which can be beneficial for most users. I'm a big Linux fan boy, but it's easy to mess up your config and get a false impression of security, especially with some distros.
1 comments
plaguepilled 1248 days ago
To add examples: i have seen bad posture from otherwise good systems, e.g.: - not having MAC (apparmor or, preferably, SELinux) implemented

- not managing user permissions per least permissions principle

- not restricting access to bashrc

- not using Wayland opportunistically for a key app, e.g. emacs

- not LVM encrypting during the initial install

- not enabling memory and CPU protections in kernel (Ubuntu, Fedora, etc get most of this right ootb)

There are more examples, and I'm not a security professional, but it's enough to give the flavour of the kinds of problems in defensive Linux security.

link
jmau111 1248 days ago
Not to mention kernel exploits, local privesc, unmaintained or abandoned distros, and many other issues.

I've seen so many people relying on the OS and thinking themselves as power users just by using it with default settings. I think it's a mistake, hence my comparison.

Attacking a secured Windows system is not at everybody's reach. Doesn't mean it can't be done, but it's something I don't like to read in security news, like finding and exploiting 0days will be easy for attackers.

It's not and can take some time. There's even a huge market for initial access. In contrast, exploiting a vulnerable Linux system (e.g., unpatched) is documented everywhere.

link
plaguepilled 1248 days ago
Would you say kernel and privesc are worse or better on Linux? All else being "correct" I always had the feeling that this was handled well on mainline distros (Fedora, Ubuntu, Debian, OpenSuse) and some BSD distros (OpenBSD), maybe even better than Windows depending on what you're looking at.
link
jmau111 1248 days ago
To me, the comparison does not make sense and was definitely not my intention when I mentioned Linux in the guide.

It's just that privesc and kernel exploits is possible under some conditions on Linux.

link