Hacker News new | past | comments | ask | show | jobs | submit login

Fwiw, you should never think about an OS in terms of what security features they have enabled by default. The OS is almost always designed to help the user use programs and to help programs run. Just assume it is not secure until you do an audit + lockdown yourself.

If you want a secure system by default, you should probably not use Linux. I would go with OSX or OpenBSD to start.

(And finally: mounting /usr read-only isn't actually a security feature, because if you can exec code you can run a privesc and remount /usr read-write; mounting as noexec could arguably be considered a security feature)




OSX, really? It's had more than one privilege escalation exploitable from just a shell prompt (eg. the DYLD_PRINT_TO_FILE bug).

Not really surprising since it's overwhelmingly used in practice as a single-user system.


OSX? How is that more secure by default than Linux?


Less published exploits. Okay, so "more secure" isn't exactly correct, maybe "more difficult for a 10 year old with Metasploit to own it"


Who'd've thought that an OS that is rarely used to serve remote content is more resilient against software focused on breaking into remote systems?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: