
Is the Linux Desktop less secure than Windows 10? [pdf] - kodfodrasz
https://fosdem.org/2017/schedule/event/linux_desktop_versus_windows10/attachments/slides/1730/export/events/attachments/linux_desktop_versus_windows10/slides/1730/fosdem_linux_desktop_security.pdf
======
SwellJoe
It's interesting that the problems are all with things that I actively
_dislike_ about the modern Linux desktop. I mean, I guess it's OK that it
creates thumbnails of images...but, the tendency to grind away for seconds
whenever opening a big folder (Windows does it, too, I guess) is just
annoying. I end up using command line most of the time for file management
tasks because it's too slow and cumbersome to use the UI.

Also, it seems to be file types that would never be automatically parsed on
Windows or Mac. I mean...a Nintendo music file? Why on earth would the desktop
environment need to do that? (And, I say this as someone that composes
chiptunes and enjoys listening to them, but I don't need my desktop
environment to grok them).

And, I guess I like that Linux does things out of the box that Windows and Mac
need third party apps for (much less so, today, but still a factor I notice
when I reboot into Windows). But, maybe this is overkill?

And, yes, I think it's clear that Microsoft made a significant investment in
security a decade or so ago, and it has paid off massively. Windows is
remarkably more secure, stable, and reliable than it was a decade ago. I still
prefer Linux, but the case for Linux over Windows is nowhere near as
compelling and clear cut as it once was.

~~~
throwanem
> Windows does it, too, I guess

No, it generates thumbnails outside the main UI thread; sometimes it's a bit
slow in so doing, but I've never seen it hang an Explorer window, regardless
of file size or quantity. (Windows 7, but it would astonish me to learn that
10 displays a regression here.)

~~~
DanBC
It's pretty well known. There are several workarounds.

One is to optimise view for general, not images or video or sound.

Another is to "reset your folders"

[http://superuser.com/questions/1097394/windows-10-download-f...](http://superuser.com/questions/1097394/windows-10-download-
folder-slow-to-display-contents)

~~~
dajohnson89
Might another option be to have the default view be "List"? I'm not sure if
that's possible, but I've been wanting to do this for years.

~~~
throwanem
In everything from XP through 7, you can. Select the view you want to make
default, then press Alt to display and activate the menubar. In the Tools
menu, choose Folder Options; on the View tab, click Apply to All Folders.
Current Explorer windows may need to be closed and reopened to show the
change; all newly opened windows from now on will take the view you chose as
their default, but also remember any changes you make to a given folder's
view.

I generally prefer Details view myself, but know no reason why this shouldn't
work for List or any other. Enjoy!

------
xpaulbettsx
I mean, the answer is unequivocally, without the slightest doubt, yes. The
Linux Desktop is probably a good 5-10yrs behind Windows 10 in terms of
defense-in-depth mitigations as well as exploits in common targets like file
parsers etc etc.

[https://www.blackhat.com/docs/us-16/materials/us-16-Weston-W...](https://www.blackhat.com/docs/us-16/materials/us-16-Weston-
Windows-10-Mitigation-Improvements.pdf) is a good reference for all the stuff
that Desktop Linux in 2017 is for the most part, missing

~~~
AsyncAwait
The thing with the Linux Desktop is that you can selectively enable SELinux,
use PaX etc. and have security comparable to, if not better, than Windows 10,
plus the fact that Linux is a much more varied attack surface still applies.

Or you can do nothing, in which case you're probably less secure.

~~~
thatcat
Where's a good place to get a general guide on every day desktop use of
SELinux, PaX, etc?

~~~
bigbugbag
Arch wiki is a goldmine:
[https://wiki.archlinux.org/index.php/Security](https://wiki.archlinux.org/index.php/Security)

------
xorcist
When this metadata indexing was introduced in gnome/kde many users complained,
because it pegged their cpu and was really unasked for. But some felt that
this was something the MacOSX had and therefore some developers felt it was a
good default. I'm not convinced, partly because of the increased attack
surface.

The desktop environment itself is but a small part of the complete desktop.
Some important differences between those specific desktops are are: 1)
Clicking a file both runs the code and opens the file, and difference is
hidden from the user. 2) Mail clients start pretty much any software
automatically to open attachments. 3) Office software runs code embedded in
documents with just a user prompt. 4) A lot of plugins are active by default.
Flash and ActiveX used to be, but this is better now. 5) Code is run
automatically on removable media insertion. 6) Users download software from
random web pages instead of vetted archives.

These things are not technical but behavioral in nature and make desktops
ownable. I hope the Linux desktop never emulates them. Web browsers have
gotten so much better but one simple thing they could is stop downloading
things automatically. That save dialog won't scare anyone, and users will stop
having lots and lots of unknown files in their download directory.

~~~
bkor
Showing dialogs is not a solution. Various studies have already shown users
click any dialog which pops up without actually reading the dialog.

Loads of browsers do download automatically. Making things inconvenient and
delegating security decisions to the user isn't good enough. Make it
convenient and secure!

PS/Edit: Btw, under Windows 10 loads of things are indexed. It makes things
very convenient. You use your pc like Google. Instead of knowing exactly where
things are you just "Google" for it. With that I mean it has a good working
search that's also really quick in giving accurate results.

~~~
ageofwant
'locate' is 35 years old. And has been available on linux desktops since 1991.
Just saying.

~~~
bigbugbag
Hasn't it been replaced by slocate, mlocate, tlocate or another variant since
?

~~~
ageofwant
Yes, and there were a few implementations from different groups, as you would
expect. I'm typing this on a current Arch and locate, mlocate and slocate are
all available from the mlocate package.

~~~
untoreh
They are most likely symlinks to mlocate

------
hannob
Speaker here.

As the slides may not tell the whole story (there should be a video soon), I
covered this mostly also for LWN recently:

[https://lwn.net/Articles/708196/](https://lwn.net/Articles/708196/)

~~~
nottorp
Video? What happened to good old fashioned text? I can read 10x faster than
you can talk...

~~~
davidp
Yeah, screw that guy for offering free quality content in video form, AND the
nicely written text piece you just asked for.

~~~
nottorp
Where is it? The PDF has some slides, not actual text, and the LWN article is
also just a summary.

~~~
joosters
_(there should be a video soon)_

------
dijit
Feeling mighty smug about my preference for tiling window managers and minimal
distro choices.

But I shouldn't, they found bugs in software I use daily (ffmpeg for example),
it would be relatively trivial to make me execute something with it, since my
brain is trained to 'exes as threats' not mp3s.

~~~
viraptor
Selinux / apparmor / grsec-rbac can do wonders here. Your MP3s should not
execute new code and your system can enforce it.

------
CJefferson
I believe in sandboxing, I hope it gets better and easier to use.

I work on several C programs. I wish for the day when we have an easy to use,
cross platform method of setting up a small set of open files at the start of
a program, then be able to say "No more file access, no more network
connections".

I know this hides a whole bunch of complication, which is why it's hard and
why there are so many ways to do it -- I view it the same way as the move to
distinct virtual memory spaces for each process. Once we have it we'll wonder
why we ever allowed every program free access to the whole file system for
it's entire life-span by default.

~~~
swixmix

      > say "No more file access, no more network connections".
    

Looks like you're advocating OpenBSD's pledge(2).
[http://man.openbsd.org/OpenBSD-
current/man2/pledge.2](http://man.openbsd.org/OpenBSD-current/man2/pledge.2)

~~~
CJefferson
That is one thing I've looked at, and it looks great.

Hopefully someone (and it won't be me :) ) will write a library which looks
like pledge but wraps all the various things in different OSses (I hear words
like seccomp on linux)

------
nottorp
Hmm. If i look at the slides, the article should be renamed "gstreamer, and
some stuff browsers on all platforms do, are insecure"? Is it easier to change
your media player on Linux, or to trust Microsoft?

Say, does a default Windows install still enable 20 networked services that
don't belong on a home computer and can be exploited without the user
downloading anything?

~~~
bigbugbag
This title is pure sensationalism. The written piece says clearly "security
vulnerabilities in the GStreamer multimedia framework. A combination of the
Chrome browser and GNOME-based desktops creates a particularly scary
vulnerability.". Somehow this very specific combination inflated to become
Desktop Linux.

My default installation came with VLC, firefox and KDE. No gstreamer nor gnome
installed, google products including Chrome are not welcome. Though I'm pretty
sure manjaro is part of the Desktop Linux family.

Too bad this misrepresentation is hurting the message OP is trying to carry to
the world. Then this message is hardly news, the guys at grsecurity have been
at it for 15 years providing hardening security patches to the vanilla kernel.

~~~
notalaser
Baloo, KDE's indexing engine is apparently hit by the same vulnerability that
hits Tracker (except they didn't fix it, according to the article). Also, are
you sure Firefox and none of the KDE applications are using gstreamer for the
backend (e.g. for HTML5 videos)?

I dislike this idea that the Linux desktop is all Gnome and systemd, too, but
the situation is pretty disastrous. Things that have an X in them, from X11 to
(especially...) XDG shouldn't be trusted too much...

------
viraptor
Important bit is on the later slides: Issues on most codecs/parsers can be
prevented by sandboxing. An exploding parser should never affect other
processes, files, etc.

Seccomp (bpf version) is only available since 2012 really, but I hope more
apps will start picking it up. It's pretty simple it should become a shameful
thing not to use it in new apps.

~~~
bigbugbag
No need to wait, you can sandbox your applications now:
[https://wiki.archlinux.org/index.php/Security#Sandboxing_app...](https://wiki.archlinux.org/index.php/Security#Sandboxing_applications)

~~~
viraptor
You can apply the generic sandboxes to the whole process, but that's not the
same as a targeted seccomp. For example, you can use one of the external jails
to stop your media app from using the network, and that's great. But what if
you want to stream content from the internet? Without changing the source, you
can't apply the no-network rule only to the decoding part. That's what still
needs work from the maintainers.

------
blorgle
I am a big fan of grsec, RBAC and sandboxing stuff. But let's be real here
people! Those are good features on servers where there isn't a giant security
black-hole called X, where any local exploit of the app can turn it into a
compromise of the entire GUI system.

Look at the hoops that adversary resistance focused distros like SubgraphOS
have to jump through just to mitigate the giant attack surface that X opens.

Until Wayland becomes the _usable default_ standard, "Linux Desktop Security"
is an anachronism.

~~~
bkor
Security should be multi layered. So if one thing fails there's still yet
another layer of defence. This because everything will have bugs anyway, so it
should be assumed none of the layers will ever be fully secure.

systemd offers various methods to restrict daemons in their abilities. That's
hardly used. Only recently tracker started sandboxing their indexers. Why
block adding other security laters on Wayland? There's no need to wait, nor do
these layers depend on another.

~~~
digi_owl
The best defense in this regard is not do jack all unless the user asks for
it.

~~~
bkor
That's how Flatpak works with its portals, so assume you'll now read what I
wrote instead of simple responses?

~~~
digi_owl
Should have guessed you would claim that monstrosity as the fix for your
(Gnome's) other monstrosity.

~~~
bkor
I didn't argue that there's one fix, I mentioned that there should be multiple
layers. If you'd read what I write you'd have known this. Further, just being
negative and calling names vs maybe making an argument isn't helping your
case.

You dislike GNOME.. meh.

------
TheManuell
About the $10K: don't forget that the french Gendarmerie runs on Ubuntu. See
[https://en.wikipedia.org/wiki/GendBuntu](https://en.wikipedia.org/wiki/GendBuntu)

~~~
bigbugbag
Sorry but the french Gendarmerie does _not_ run on Ubuntu. They use a custom
made distro called GendBuntu which is based on Ubuntu as Ubuntu is based on
Debian.

~~~
Arizhel
Do you work in/for the Gendarmerie?

I seriously doubt it's like you say. It's probably a lot more like a "custom
made distro" that's based on Ubuntu as Linux Mint is based on Ubuntu: all the
core stuff exactly the same, and a few things on top different (namely the DE
in the case of Mint).

------
rkv
> ASLR: Debian: Work in progress (Stretch / 2017).

From the dpkg-buildflags manpage:

> Additionally, since PIE is implemented via a general register, some
> architectures (most notably i386) can see performance losses of up to 15% in
> very text-segment-heavy application workloads; most workloads see less than
> 1%. Architectures with more general registers (e.g. amd64) do not see as
> high a worst-case penalty.

Is this the reason why the adoption of pie is so slow? Does rust enforce
hardening techniques?

------
aomix
I've read the OpenBSD developers poke fun at Linux by saying the same thing.
During the 2000/XP time frame security became a serious threat to Microsoft's
market dominance. Since then Windows has kept up with the best security
practices and technologies better than most. It's very impressive considering
I can still run Windows 2000 binaries on Windows 10.

------
snowpanda
Not really fair to compare every Linux distro vs one version/distro of
Windows.

>KDE has baloo

Again, not every Linux user uses KDE. That's like saying Windows 10 is less
secure because of Total Commander[1].

[1][https://en.wikipedia.org/wiki/Total_Commander](https://en.wikipedia.org/wiki/Total_Commander)

------
partycoder
It is important to decouple distributions from Linux itself. Some
distributions do not place security as their top-most priority, but rather
ease of use.

Then, there is no "one" Linux desktop. You have different X servers, different
window managers, different desktop environments...

In Windows there's only one of everything, the configuration is less flexible
in terms of what things you can disable, and once something is vulnerable
that's it.

e.g: Vulnerability in fonts being rendered on the kernel? What can you do
about it exactly? Nothing but to wait for updates... but then the Flame
malware installed itself via Windows Update. It's fantastic.

------
unsignedint
If anything, Linux may benefit from relatively varied installation states in
security scheme (SELinux, Apparmor, etc.), libraries included, and desktop
environment. It is perhaps bit harder to pull off one-size fit-all attacks.

Things like data at rest protection seems to work better on Linux; as far as I
know, there aren't out of box solution for Pre-boot authentication for
Windows, for instance.

Edit: To the latter point, it looks like BitLocker has the mode to allow that,
if you have Professional/Enterprise with TPM...

~~~
my123
Windows RT was the playground for Windows security ideas. Every Windows RT
device connected to a Microsoft account has device encryption backed by the
TPM enabled for example...

------
r3bl
Ironically, I didn't pay attention to the "[pdf]" part of the title, and as
soon as I clicked the link, the PDF file got downloaded.

I have a pretty strict AppArmor profile for Evince (AKA Document Viewer on
GNOME-based DEs), so I thought that automatically downloading PDFs and opening
them in Evince instead of in the web browser would be safer. I didn't even
thought about this kind of attack surface.

~~~
andai
Apparently, the code for parsing PDFs has grown larger than the linux kernel.
That's quite an attack surface!

------
tomxor
Why are they comparing bugs from Ubuntu 12 "unity" to windows 10 and calling
it "linux security", this is like shitty statistics... you narrow your field
enough and you will contrive the result you were looking for like a
numerologist.

------
qznc
I'm irritated about the initial example, which targets "Ubuntu 12.04". Why
this 5 year old version? Is it fixed already in newer ones? Because it will
never be fixed for 12.04 and people are still using it?

~~~
dchest
Ubuntu 12.04 is supported until April 2017, so yes, it's still an "active"
version, and security issues should be fixed.

------
jlebrech
it's only as secure as the user

~~~
bkor
You can make things more secure or less secure no matter the user.

Also: if one desktop doesn't check SSL certificates and the other desktop
does, then one desktop doesn't even enable the user to be secure. Checking SSL
certificates is a pretty recent thing btw. E.g. various mail clients accept
any self signed certificates silently.

------
nimish
Given that piping curl in bash with sudo is considered acceptable, this is not
surprising

~~~
digi_owl
Outside of architecture astronautical web development (usually done on a Mac
while sipping some kind of coffee and milk blend) no it is not acceptable one
bit.

~~~
Accacin
I mean, even to install Rust they give you a command to do this. So no, it's
not just web dev.

~~~
digi_owl
Well Rust is a Mozilla creation, and Mozilla is first and foremost a web
company...

------
tambourine_man
No.

Betteridge's law of headlines:
[https://en.wikipedia.org/wiki/Betteridge's_law_of_headlines](https://en.wikipedia.org/wiki/Betteridge's_law_of_headlines)

------
beegeezuz
what Linux desktop?

~~~
digi_owl
The Gnome DE...

~~~
bkor
Apport, gstreamer, Tracker/Baloo, Chrome/Chromium/Epiphany, ASLR isn't just
GNOME. It seems investigation started on Ubuntu (Unity 7). It affects multiple
desktops and as others notes, also Baloo.

------
general_ai
There's security and there's safety. Linux desktop may well be less secure,
meaning that it could be successfully attacked by an experienced attacker. At
the same time it's far less likely to be attacked, so it's safer, for the same
reason as macOS: less marketshare, few people are motivated to learn/research
attack vectors.

~~~
rimantas
Once again: Mac OS in pre-X days had even smaller market share, but many many
more viruses in the wild. It's not all about the market share.

~~~
c3833174
But which kind of virus?

An internet-distributed one would be pretty futile, but a diskette-spreading
one aimed at a lab with several macs could be pretty successful.

------
dcdevito
err but Linux is mmer secure....derp derp

~~~
sctb
Please don't post like this here.

------
jumanchiss
of course not

[https://threatpost.com/microsoft-waits-for-patch-tuesday-
to-...](https://threatpost.com/microsoft-waits-for-patch-tuesday-to-fix-smb-
zero-day/123541/)

------
baldfat
Click Bait Title

Anyone care to define default outside of Ubuntu?

I run OpenSUSE and have it down to just a tiled window manager, terminal and
FireFox.

------
eruditely
They just don't have the money. They're behind because it never got the
inertia of accumulated capital infrastructure, and it's finally starting to
show. I bailed out to OS X late last christmas.

