Hello,
I think that the Can PureOS protect me from viruses, malware and cryptolocker? section and the following one in the FAQ doesn’t make much sense. The answer first states that PureOS is based Linux and because of that it’s safer than other OSes. That statement is dubious at best. Then they still recommend AV software: ClamAV and a firewall. ClamAV has a very bad detection rate on Windows. I don’t know any reputable GNU/Linux AV rating, but that’s not the point.
I think that those sections should be replaced by an explanation that PureOS and all packages in the repo are FOSS. Thanks to that they can be and sometimes is reviewed, analyzed or audited. Debian has very high inclusion standards and developers and maintainers review the source code of their packages. That makes it less likely that there will be a malicious package in the repo than in an app store and it’s much better than downloading installers from various sites. Other security features of PureOS can be listed after that.
I think that it’s also important to say that if you download and launching a malicious binary or installing a malicious package can still compromise your entire system and the fact that you are using PureOS won’t protect you against that.
Security in general is nebulous. Companies all need to be very careful (some might even say coy) about what they say regarding it and their products.
I think you make good points, but I think they should say less and not more. They should say something like, we give you products that provide you with an excellent private and secure foundation. It is however up to the customer / user to ensure they are secure.
Using the amount of malware present on a platform as an indicator of its security is like saying that a car is good because there are a lot of aftermarket parts for it.
Windows has the most malware because it is the most used OS.
MS might be a lot of things, but they have been fighting this for decades. If they haven’t learned a thing or two as a result they’d have bled all of their customers a long time ago. The market and industry would seem to say otherwise.
Linux is secure because it is obscure. Imagine if the army of people making Windows malware just shifted to Linux. Do you really think Linux will fair well?
I don’t. Not even for a second.
*I’m talking about Desktop here specifically. Not servers.
The AV-TEST data doesn’t show much correlation between the number of devices that use an operating system and amount of malware that is created for that operating system.
Malware (AV-TEST) and devices in H1 2016, in millions
OS
Malware (M)
Devices (M)
Devices / malware
Windows
388.9
1300
3.3
Script
110.5
Android
43.3
2000
46
MacOS
0.41
100
247
Mobile
0.06
DOS
0.06
Linux
0.12
25
216
Other
35.3
Total malware
578.7
There were 3.3 Windows devices for each malware sample that AV-TEST found, but 247 MacOS and 216 desktop Linux devices for each malware sample. The data shows that the amount of malware depends more on other factors than the number of devices.
If you read my answer, you will see that I’m not making the argument that Linux is better designed for security than Android. I acknowledge that PureOS/Phosh on the Librem 5 doesn’t yet provide proper sandboxing of its applications, secure booting and a hardware backed keystore, and it lacks a lot of the low-level security features of Android.
My argument why the Librem 5 is safer than an Android phone is:
It is difficult to get malware into the Debian repositories because it mostly only accepts FOSS and malware creator has to convince an experienced Debian developer to sponsor the project, to serve as a mentor and upload the package to the repo. In contrast, it is much easier to get malware into the Play Store which studies have shown to contain malware.
There aren’t many effective means to distribute malware in the Linux world since few people install software that doesn’t come from the official repo, but Android users do install apps from unapproved sources.
Android users are on average easier and more gullible targets than Linux phone users.
The Librem 5 is more likely to receive timely security updates than the Android phone and for far longer.
I think that the reason why Windows has more malware than Android despite the fact that Android has more users is because there are more opportunities to distribute malware with Windows, because people are accustomed to downloading and installing software from many sources with Windows and people are accustomed to downloading and opening attachments (docx, xlsx, pdf, etc.) and opening them in other programs when using Windows, whereas they don’t do that nearly as much in Android.
The reason why I bring up the AV-TEST data is because it shows that 3400 times more malware was created for Windows than Linux in H1 2016. For the user it doesn’t matter why there is more malware; it only matters that she is statistically more likely to have problems with malware if using Windows.
For instance most Linux distro’s I’ve used personally have the user create an account on install and add them to the sudoers group this a user has to type in their own password (or click yes/ok/approve depending on configuration) for elevated privleges (for things like installing software). The root account may or may not be disabled depending on distro.
Windows, since Vista (2007), has done essentially the same thing. During install a new user account is created where the user has to put in their password (or click yes/continue depending on configuration) to elevate privleges for things such as install software. The built in administrator account is disabled by default.
At this point that aspect of OS security is similar (MacOS even provides a nearly identical experience).
And to be clear, the windows “Administrator” group is equivalent to sudoers and the built in administrator account is equivalent to root. There are some things that cannot be done even with a user account in the administrator group similar to how a sudoers account isn’t quite the same as root.
Thanks for providing the link to the Librem 5 FAQ. I think that basically something similar should be written in the PureOS FAQ.
It’s more difficult to distribute malware through official channels because FOSS and Debian has high standards
It’s more difficult to do so through other channels as well. On Windows if you download a script of executable and double click on it, it will get executed. You double click on an executable with a double extension and a document icon and you might not even know what happened. I even saw a loader in a shortcut file because you can pass arguments to apps like that. It was launching cmd with a command downloading and launching an unreadable file. By comparison, when you double click a file in GNOME Nautilus it will open in a text editor. That behavior can be changed, but if it becomes a problem, it can be hidden behind a big warning or completely removed. Same for installing packages or adding repos from the GUI. Piping curl to Bash will still be a problem, but in the end it’s user freedom to shoot themselves in the foot. I think that it will be similar to users installing Android apps from untrusted sources.
I also doubt that sandboxing will make sense on the desktop. A typical pro desktop workflow includes passing the same data through multiple programs or opening the same files in various apps. Having .cache, .config and .local sandboxed won’t help much. There will still be a shared storage that many apps will need to access.
I think that the most important for desktop security is making it difficult to run untrusted code on users machines.
I’ve never seen a personal-use windows setup such that the user is required to enter a password to elevate privileges, its always that UAC yes/no dialog that people treat like EULAs, “yes, whatever, just do it!” even if its not obvious where it came from. The yes/no dialog doesn’t contain a password entry field because the user already has admin privileges. Further, that UAC dialog is not difficult to bypass.
Perhaps they’re a bit more DISsimilar than you might think.
That was the default for Vista initially, then people complained and the default setting was dropped to prompt to approve from prompt to enter password. I have seen Linux setup in this same way, mostly to appease users just as was done in windows.
As far as the continue/yes resulting in people treating it like an Eula… How do you think they behave when they are just as frequently prompted for their password? People whom aren’t interested in understanding what they’re doing are going to complain that this is getting in their way either way.
To that end, how do you provide users the freedom to install whatever they want while protecting them from things that will compromise their security when they won’t put forth any effort of their own?
I also see you ignored the difference between the administrator group and the administrator user.
The point is they both have a separate root/administrator user and sudoers/administrators groups. Just because windows uses confusing naming doesn’t mean the effective similarity isn’t there.
Windows default does not prompt for password to do admin things like edit the registry, unless this has changed in the last year. A VM will answer this question for us.
For your EULA questions, I don’t have an answer. The users are ultimately responsible for what they put on their systems, I just think “yes/no” is easier to overlook.
I think rather the point is that upon installation, windows users login as “root,” in that they can act without entering a password upon action (see first paragraph). This doesn’t happen in Linux (assuming default installation parameters for both OSes).
To illustrate it another way, windows users never complain about “permission denied” errors. If we still disagree, then I don’t see what it is I’m missing aside from semantics.
I think that UAC isn’t actually that important. Probably most PCs are single user. A malicious program does not need root to access all user files. If for some reason I wrote a malware that needs root, I would rather add an alias to my wrapper-loader as sudo or any privileged command frequently used in the .bashrc and not just go and request high privileges on launch. I could also override the .desktop file of any popular GUI app that requests root. Probably even an experienced user would not even notice that something bad just happened.
You’re right, they do, which supports what @OpojOJirYAlG was saying. I guess I’ve been out of the game too long and I got hung up on password requirement. Sorry about that.