Why is GNU/Linux the Most Secure Desktop Operating System? 

Lol don't be silly. The most secure desktop operating system is obviously TempleOS.

What makes Linux safer? The users.

I think the most important fact is having many tech savvy guys using it.

im sure linux actually absolutely dominates the operating system market if we include servers and not just individual users

You forgot to mention linux does not come with a built-in backdoor to your computer. Update: Well I guess XZ had proven me wrong.

Temple OS is the only safe and secure OS. Just try mounting a usb device in it.

If you have a hard time installing any package not made for your specific distro, imagine how hard it is for a dude to make a virus for Linux.

gnu/linux safest? no gnu/linux safer than windows? yes

Not to mention all the patches and possible compromises are CLEARLY listed in the updates unlike the dodgy language of windows and Mac "updates"

I'll swear by Linux's flexibility any day. It's just so much easier to execute on weird hacky ideas. I've had two overlapping Zoom classes at one point, and I'd create two virtual PulseAudio-JACK sinks where each class would go, and wire each class to the left and right channels of my headphones, separately, then use two instances of OBS to record each class into separate files and folders at the same time, so I could watch separately later, and I had a third instance of OBS streaming "the meme camera" into v4l2loopback, and into both Zoom sessions. All of that, while running a Windows 10 GPU passthrough VM in QEMU, where the VM's main virtual disk is a GPT-formatted _partition_ in my physical SSD, that QEMU accesses as a block device, for maximum performance. Less than 10% CPU usage running all of this with VAAPI (aside from Win10 occassionally taking up more), on a Core i7-6700k. It's madness. Windows just can't do that shit, definitely not nearly as efficiently, and definitely not without a ton of crappy trialwares downloaded from the Internet. And that doesn't even count all the times I made slight, trivial customizations to the software I ran at the sourcecode level, to hack around limitations or play with even weirder ideas.

The biggest vulnerability is located between the chair and the keyboard. All jokes aside, not all malware uses vulnerabilities to work. Many of them may (and not limited to) give the attacker a reverse shell to the target. To mitigate this attack vector, a good firewall rule is needed.

To be clear though Linux servers are well known targets. It doesn't get as much press as Windows vulnerabilities but they are still vulnerable because they run most of the web as we know it and not everyone updates their version of Linux.

Well by richard stallmans definition everyone is a hacker

And then there is OpenBSD

OpenBSD...

I talked to my dad about open source software, he said that people back then tried to get him fired for pushing things like Linux.

1:30 "The script kiddie possibly hasn't even heard of Linux themselves." HAHAHAHAAHAHAHAHAHhahahahahaahaaaaaa..... I see you're unfamiliar with the ranks and armies of edgy 12 year olds who hear about Kali Linux and revere it like a holy grail of hacking, as if simply having it installed is a sign that you're an unstoppable force not to be deterred from your hacking goals. Then they wipe their Windows XP installation and install the thing so that they can escape from their cushy lifestyle into that of a runaway badass hacker who can't be stopped, and end up not only never figuring out how to hack anything, but also never figuring out how to get basic stuff done on Linux.

Hi Mental Outlaw, thank you for your videos, they effectively add insight and real value to the discussed topics. You know, IMO, I think that another reason for Linux to be secure is because of its architectural design, because basically, it is designed in layers like an onion for example, being the most inner layer the kernel. From there "to the outside" you have the other layers like video, audio, the user space and so on. So, as you can see, for malware to make a real damage it has not only to get permission, but also it has to reach the innermost layer of the system, which is the kernel. If for example, a certain user in the system downloads a malware, it will affect this particular user and will not have effective damage over the inner layers of the system. So, in order to bring peace again it would be enough to at most delete the users profile and recreate it again or have it restored from a backup, using tools like rsync for example, if you previously did a backup of course.

Another reason for Linux being more secure than windows is that a lot of Linux libraries are dynamic which means every single package uses same system libraries so if that lib have bugs and they fix it in the newest version of kernel it will be fixed for every single package that uses that lib There as in the windows world lot of the applications uses static libraries which means that libraries are inside the package itself and each developer should include that bug fix inside of there application So instead of just updating once to fix the bug you need to update every single application that uses that lib to fix bug

But can it survive my "sudo rm -rd /" virus?

BSDs are generally more secure.

You've got me convinced, I'm switching to linux as soon as I graduate from my online school that does not support linux.

That pie chart at 2:00 could be updated given its 6 years old as at the time of this comment. Surely the data is no longer valid.

This market share info is outdated. Linux is now at almost 3%

Why did you pick a operating system usage graph from 2014? It didn't even have Windows 10 on it, and a lot of people used Windows XP and Windows 7.

All of this open source stuff is only good if you have a fairly large audience. There are github repos that contain frameworks used by only a few developers but the projects using these frameworks have many users. And malicious people who may find those vulnerabilities and not choose to report them but abuse them this open sourcing helps them find the vulnerabilities much easier.

I think you touched in an important point when it comes to windows. That their security model is rather basic and only really got better since Vista/Windows 7. Furthermore most people want to run as admin on Windows when most users in Linux don't need to run as a admin (SU iirc) unless needed. This is further made worse with how often software on Windows needs to run on an admin account otherwise it just fails to work. If most windows based software can run well in a limited account and most users actually use the limited account windows would be much more secure OS. Not as secure as Linux though. You win there.

Windows has file permissions as well, In fact it is a huge part of most business domain servers. The truth is by default windows is awful with these permissions.

Most modern Windows systems have file permissions (ACLs), but other than that you're 100% right

I am a fan of the channel. Would you be willing to do an interview for the RU-vid show Linux Spotlight? The show tries to showcase the best thing about Linux, the community. In the show, each persons talks about their journey in Linux.

Although it's a good point about the execute permissions because as far as i know all browsers make downloaded files non executable on linux there's still the malware that works directly through browsers. There has been multiple bugs especially in chromium where script running on a page could escape the sandbox and actually affect the host operating system. Another thing i find a big problem on windows is cscript.exe because it's configured to run files such as .js by default and i've seen numerous cases where attackers sent javascript ransomware through email and in outlook just one click on the attached file and windows just run the javascript code without any prompting. Remember what is run by cscript is full javascript *including filesystem functions* not the sandboxed browser javascript allowing ransomware to encrypt the harddrive

I think the point about execute-permissions is a bit weak compared to the other very very good points you make here - not just because those permission do, in some more hidden, harder to utilize form, exist in windows too, but because a considerable portion of hardware is not "executing when you didn't mean to execute anything" (a word document disguised as an executable), but instead "executes when you meant to execute something else" ("this is a self-extracting archive that contains your word document"). If I believe that I've downloaded a legitimate program requiring execute-permissions won't be a safeguard in any way. Still a very good video, showcasing how much of Linux' safety comes not from the OS itself, but actually its community & individual users.

The biggest thing that feels safer to me in Linux is that if you make a root user, it's not an accessible account, you have to switch to it using the terminal for everything you want to do, then you go back to your regular user

Did you record this audio on a loading dock? Love the vids, thanky brain bandit.

It is always very interesting to listen to you, please keep going!

most malware samples I've looked at do not use any Kernel level exploits, very very few do, and when they do, it's usually nor a massive issue as you'd have to run them as administrator, many people regard the admin to system security boundary as unimportant. to encrypt all files on your drives doesn't take kernel, ring0 cpl. still I agree with most other points.

One thing you kinda glossed over that servers are actually running on Linux (20 to 90 percent, depending on which source you consult) and actually are a good target.

Just had my first full day of Linux (Mint), loving the control and it not doing whatever it wants

Some guys in my school made a desktop shortcut to the shutdown script for our computers. caused chaos when people clicked on it thinking it was chrome or files etc...

Hey, would you consider also hosting your videos on LBRY?

mental outlaw really swag !

To be fair.. Windows uses ACL for file permission, which isn't worse than Linux File Permission System. Yes, it gets undermined, if the user is an Administrator, but that is also the case, with the linux root user or just about any user which has access to sudo. If a malware gets past the UAC (which isn't trivial, as long as the UAC is protected with the account password (which really should be the default)), it gains full system access. But on the other side, if a malware gets past sudo, it also has full system access. No file permission system can help you in that case. But as long as we are talking about limited users without access to root/administrator, the file permission system from Windows isn't worse than the Linux permission system. And yes, Windows has a "Read & execute" permission in its acl and if you disable that for a specific user.. well.. in that case the user can't run the application. And yes, this also works for administrators (but obviously they can reenable this permission for themselves but again.. this is also the case for linux), and yes you can inherit this permission through an entire folder structure.. so you can make any application in for example the user folder not executable by default.

Windows also has a file permission system, it's just unknown and/or inaccessible to most users.

linux might have a smaller desktop share, but a MUCH MUCH higher server share, and servers are where the real money is, so it kinda evens out

Bro that 25% windows XP market share is insane to me. Even in 2014. That’s still a lot for back then.

Thank you for articulating this topic brilliantly. Many people, including an information technology professor I know, believe Linux has next to no malware because it's a small target and Windoze is a giant target. They do not believe Linux is inherently less vulnerable than Windoze. Baloney.

But the same logic can apply for advance Windows users who know what they are doing and check the software they install. To install software on WIndows it must have valid certificate or the SmartScreen will inform you about the mistake you are about to make. Any app that require more Administrative permissions will ask you to give such. Also there is Memory integrity feature for the code running in the kernel. It's mostly the user that makes it vulnerable. Of course you must trust MS nowadays that they patch it right on time and that won't break the system. The real beauty of Linux is control and privacy.

It's not the most secure OS. That's OpenBSD.

Linux = AMT conduits baked right in. Linux: Hi NSA, have some data! FreeBSD = What's AMT? IME: Can I has your data? FreeBSD: OK, but it's encrypted. IME: Can you decrypt it? FreeBSD: Nope :3

forgetting OpenBSD?

I don't know if secure is the word I'd use. According to several security websites, Linux can actually be a hassle to harden in regards to the kernel and so forth.

I love the running joke that 4Chan is an elite hacker group

I don't know if you purposely do this, and when you think about it, it's not weird at all, but I kinda get a kick out of you calling it "The macOS" instead of just macOS.

When you are connected to some device as 'group' or 'other' user and you have 'r' permission, just cat the file to your own and execute. That might be a flaw.

Could you please do a video about hardening gentoo on 2020?

Let me start by saying I am a fan of your show and I like all the content geared towards educating people about Linux and open source. Having said that I feel I need to correct/clarify a couple points you mentioned. And just so no one thinks I don't know what I am talking about. I have used and tested MANY flavors of Linux for over 20 years, since the Red hat 8 days. I have also worked in IT for most of that time, 10 years of which I did IT security for a number of private companies as well as for the Department of Health and Human Services. So the first point is, when you said there isn't a lot of malware for Linux. There is actually quite a bit of malware for Linux. I agree, not as much as for Windows but, still quite a lot. The reason has to do with my second clarification/correction. This one is one I wish more content creators would read up on and mention in their videos but, they don't. The issue is, while yes, only about 2% of the desktop market uses Linux, that is not the whole picture. The fact of the matter is that 76%+ of the internet is run on Linux servers and a huge number of companies also use Linux servers. For example, the financial industry relies heavily on Linux because it is so secure. Another one is Disney and Pixar that converted almost all of there graphic design and rendering servers over to Linux back in 2003 I believe, just to name some examples. Hackers know this, so a lot of malware has been developed for Linux. However, a significant portion of the malware for Linux in the wild requires user interaction in order to gain root permissions so it can actually do anything on a Linux system. In addition, some of the malware out there is just beta software that was developed by hackers and companies that wanted to see what was possible on Linux and a lot of these were eventually abandoned because the way Linux is setup prevented them from actually successfully infecting any Linux systems and being able to execute their payload. This is also the reason many anti-malware companies actually have versions of there software for Linux. Companies and governments need it to help keep their systems secure. The only reason most of these companies, like Norton and McAfee, don't sell the Linux versions of their software to the general public is because there isn't enough of a profit incentive to do so.

MacOS and Windows10 appear to have per-app folder access permissions. i.e. program X has access to Documents/. (Mac: Privacy and Security > Privacy > Files and Folders, Win10 Privacy > App Permissions > Documents). Is this a drawback for Linux? If I install somehow install a malicious program, or install a bad Python package, or install a bad npm package (i.e. via typosquatting), does Linux offer much protection for my personal files?

Bravo!

4:50 - I wish there was FOSS windows store / package manager, allowing in only FOSS

@2:01 that sure is an old graph, windows 10 didn't even exist yet

Thoughts on BSD?

Thanks brother 👍

9:54 “he doesn’t exist, he’s just an extension of your mind”

great information

While i late for party i still cant agree with file permission part. On Windows you can have much more granular file permission control, including execution. Its requires some tinkering, true, but its very possible.

I have the doubt, what about third party binaries, deb/rpm/run/sh when you can't find the program you need and have to download from a different source than the distro repositories. I know they need sudo root permissions to do their thing (if it is malware), but as an admin of my system, I constantly face this cause not all programs I need are available on the distro's repos or PPA's

1:59 May, 2014. lazy... one more problem at 6:21 . no further explanation on what software repositories are. from the context it is understood they are deployed by someone who has this authority and they are being kept online by a p2p network.(i dont know how repository works) but you never explain in in this video

This is all true, but there definitely are people who write malware for Linux, they aren't aiming that malware at the masses though, they target server farms and cloud services which almost all run on a Linux backend.

I thought you shouldn't use 3rd-party repositories, because they can cause many problems?

On Windows, programs with administrative privileges can easily install new trusted root certificates without the user knowing about it

there is also selinux to make permission better

Tux in armor makes me happy!

What is the name of that linux distro from 6:22 ?

Winux is a special breed, it can infect both Windows and Linux (a Winux on a Windows system also tries to infect ELFs that they have on the system for some reason aside from EXEs and vice versa).

oh ye thats a classy one i remember loading fraps waaaaaay back in 2009 on windows xp from a sketchy site and got trojan it triggered when i was playing warhammer online something something reckoning i was unable to switch keyboard layout i rebooted, and realized that my PC is bricked but i did had an antivirus software that was able to neutralize this thing so nothing was lost i just rebooted one more time and all was good

The biggest problems with MacOS and Windows is that they are already compromised before you even buy them because their respective vendors have full control over the systems. GNU/Linux has a similar problem but due to being open source to a lesser extend.

Can you put Linux onto a Mac or do you have to buy a Linux laptop?

Linux's access control is only on par with Window's access control unless app armor is configured.

What the, around 8 minutes into this there is a lot of background pan / scrap metal rattling that can be heard :D

Open source means more eyes on the code.

- smaller marketshare -> less people to hack - has a standard secure way to install applications and packages - open source kernel, so the bugs and abuses can also be found and fixed by the community there

hummm thing is you could find some malware for Linux since MOST servers run Linux. Also, even with only bash and Linux kernel, you could get sources from git and get every thing else then :3

What about qubes os

On Windows, always try to download the program from the official site.

May i correct you, python code doesn't need x persions unless you are ./ it

Hey bro, I found your channel recently and have really been enjoying your content. But I have to tell you, once you started comparing GNU/Linux file permissions to Windows - just had to say something! You've got it all backwards. GNU/Linux permissions are woefully inadequate when stacked up against an NTFS ACL. The ACL's in Windows are so granular and offer so much power that Microsoft developed the Security Descriptor Language (SDL) to allow applications and developers express or consume an ACL in a regular, condensed form. Not only are the individual file permissions more granular (with things like allowing read access for a directory and write access only on files you created), but an NTFS ACL will evaluate *nested* group memberships for both local and Active Directory groups - this is just not possible in GNU/Linux. As for security - what's the default home directory permissions on a fresh install of Ubuntu? 😉

I know Richard stahlman would be very happy you always say gnu/Linux giving them credit bc Linux was just the kernel

Thank you. 🎖🎖🎖

If the usual repositories have malicious files, Linux desktop will be completely infected. Also, who is checking the sources for malware? Are there any automated searches?

Linux has problem that it doesn't have layer where can be done security check like in Windows or Mac OS.

Good video.

Java is out of date, please click to update.

What's with FreeBSD?

I also want to note that to launch a payload, it is not necessary to run an exe or a picture from the administrator, 10-year-old viruses like njrat easily bypass this administrator

What about OpenBSD?

2014????

Makes sense

What’s going on in the background

I am not so sure, BSD and its derivatives might be the one? Just saying...

Haven't watched yet, but I'm going to say that there's multiple reasons. 1. The fact you have to keep entering your password to grant permission to make almost any changes to the system. 2. The fact so few people use desktop linux means it's not a very tempting target for bad actors, unlike server linux which is /heavily/ targeted. 3. Since most software is installed through repositories, unless the repository is compromised there's less vectors for viruses to infect you by chance, though you could still fall for a targeted attack if they know your're on linux. I'm sure there's probably a way for them to infect you through an email attachment or something, though far harder than it would be on windows since it would take more than just opening the attachment since it would need execute permission. 4. On the subject, files need a specific execute permission that's /not/ granted by default in order to actually run programs. 5. The general state that for most of the time it's been around and even to some extent now, you need to have at least some technical know-how to do more than the basics on desktop linux, and thus might be less likely to fall for shady stuff. All of this makes it much more unlikely for malware to be successfully executed on your system, but not impossible. Motivated hackers though could probably still get in through some exploit, but unless you're a big target like a business or like a celebrity, or just somebody who pissed off some hackers or something it's less likely to happen.