Hacking Linux Exposed





Linux is a securable operating system

We'd love to say that Linux is more secure than any other operating system, but to do so would be a lie. Any operating system can be configured poorly and become insecure, Linux included. However we argue that Linux, as with other Open Source operating systems such as {Net,Free,Open}BSD, is inherently more securable than closed source operating systems due to the fact that it is entirely a 'crystal box'. We will use Windows as an example of a closed operating system for comparison:

Code reviews

  • Thousands of programmers actively view, comment upon, and modify Linux code. Anyone who wishes to look at the source code, for whatever reason, can do so easily.
  • There is a much smaller number of programmers that view, comment upon, and modify Windows code. If you wish to review the source code of Windows, your options are to become a trusted Microsoft employee or to break into their network. (We are not suggesting you break into their network, though it was done several times recently.)
Public forums
  • Linux developers have many avenues to communicate: USENET, web sites such as slashdot.org and email lists. Thousands of diverse Linux developers around the world monitor these communications venues daily where fast dissemination of information is the norm.
  • Communication venues for Windows are only accessible by Microsoft employees. Employees are not allowed to disclose anything they find, and would face legal action should they do so.
Linux Developers want it secure
  • Linux developers want Linux to be secure, and they have little stopping them from making it so.
  • Windows developers probably want Windows to be secure as well, but they have a lot of other issues to be concerned with that Linux developers do not - schedules, managers, and stock price to name a few.
Nothing to hide
  • Linux cannot hide anything - the code for every program is available for review. When a security problem is found, the community embraces the news, develops and announces a fix quickly, usually the same day. Users can decide which patches to apply at their discretion.

  • Since no source is available to Windows, Microsoft can hide anything they want to. Known bugs can be included in final production code without the user knowing at all. Users are not able to determine causes of malfunctions themselves, and must rely on Microsoft to decide if a problem exists, and if it is worth fixing.
  • Linux is not for profit - therefore there are no shareholders to answer to. There are some companies that sell Linux distributions or Linux services, and often these release their code to the Internet community free of charge as well.
  • Windows is developed by Microsoft, and ultimately Microsoft must answer to its shareholders. This can result in releasing insufficiently tested code, instabilities cause by creeping-featurism, and programs where deadlines are more important than security.
  • Linux users expect to reboot when they need to remove power in order to add new hardware. If a Linux machine crashes, there is something extremely wrong.
  • Windows users expect to reboot whenever they change any configuration or install software. Windows machines are notorious for crashing frequently. If you don't expect your machine to be stable, why would you expect it to be secure?
A plain open honest OS
  • Linux developers provide a solid operating system to the masses for free.
  • Microsoft attempts to acquire more paying customers through FUD (fear, uncertainty, and doubt) and locking you into their platform. Security holes are spin-doctored instead of fixed, the buck is passed, lies are told endlessly, they can't even protect their own servers and don't know how to handle basic networking.

Quite honestly, we do not think we could write a book about securing a system that we don't trust. Linux is open for the world to see. No skeletons in the closet, questionable agendas, back door passwords, hidden features, or one-way mirrors. And this is why it can be secured.



Sample Chapter
A PDF of Chapter 1.

Appendix A
Available on LinuxWorld

Why did we pick Linux?

Why Linux is Secureable

Linux Overview

Hackers vs Crackers

Doesn't this book apply to all Unix-like systems?

'HLE' or 'HEL'?

HLE Translations

Tidbits gleaned from our Apache logs

Windows vs Linux Security Challenge