To add to that, Linux is easier to secure because is found mostly in the datacenter (I'll ignore Android for this one). It's not only more robust but it's secured according to a whole different standard than desktops since it doesn't need to be operated by Average Joe.
On the other hand the vast majority of Windows installations are either regular home users (with no knowledge for properly setting up their computer, and ideally with the updates disabled because they read on the internet that updates are bad) or corporate desktops (which might be secured better but still at the mercy of a user clicking on everything).
Linux and BSD are found in a lot of places, it is more to do with its design being supportive of all kinds of deployments rather than only just popularity i think.
Windows Server administrators are lot more likely to be "certified" and "trained" by MS approved courses than linux admins and of course it does not help.
I would say its more likely to find an average joe ( from a devops perspective) running a linux box than a windows box.
That's a whole different kind of average joe. A mediocre tech person is still an order of magnitude more qualified to take care of a machine than a mediocre user.
I would argue that typical desktop linux distros are as difficult if not more to secure than desktop windows.
It's hard to keep track of the current state of things, but issues that come to mind are, all of the design issues with X, such as poor isolation of applications, X server typically running as root.
Desktop apps are typically not deployed with SElinux.
Compromised apps can generally access all of the users' data.
Something like ChromeOS on the other hand, is pretty secure, but that is a whole different beast.
I knew a guy who knew a guy who decided to get revenge for some stupid perceived offense on a MUD.
This guy had the patience to put a time bomb onto their system and not trigger it until it was on all of the backups. How does someone have the patience to do something like that and yet do something so petty when they have a month to think about it? The older I get the less sense it makes, and it didn’t make much sense even then.
Years later another person did a similar thing to a different victim, hacked the kernel on the machine to clone all conversations. Published them, and then published the new conversations after the admins restored from the tainted backups. Surprise, motherfuckers!
Both sites went offline for months.
It’s easier for me to imaging doing something like this on a fishing expedition. You’re gonna try with a dozen potential victims and then enjoy the two who get bit the hardest. Vendetta is also possible, but more fanciful and can often be mitigated by not being an asshole in the first place. Also motive? Easier to catch a jilted lover than a serial killer.
In part because of these experiences, I had been known from time to time to keep a secret cold backup of the 10% of our assets that would be hardest to replace. But if that were ever stolen? Oof. I’d be fired so fast they’d throw my belongings out the window, so I stopped at some point. Git provides a little bit of that now anyway.
This seems poor hiring rather than anything tech can or should solve.
On a general note, Infra could be more like cattle than pets perhaps ? If configuration is applied via version controlled and reviewed automation (ansible, helm , hand-crafted YAML...) perhaps could have been mitigating ? - dev-ops like this is considerably easier on linux than on Windows
However like i said tech cannot solve poor employee choices, setting up and following the systems without bypasses depends on the same employees, so nothing someone with malicious intent cannot undo.
(1)I said avoid, not eliminate. The comments replying “no” are really saying, “yes“. Doesn’t ransomware typically install an executable on the victim’s machine? And won’t the mast majority of those payloads run only on Windows?
(2)Desktop Linux actually exists. I use it exclusively, every day.
(3)Security, obscurity. A proverb that is almost exclusively applied incorrectly. I’m not talking about cryptographic security. Just asking whether it would help to lock the door and take down the “please rob me” sign.
You know the best way to avoid attacks against your computers?
Don't have any computers.
That's roughly the equivalent of what you're saying. A business cannot just throw out its entire software stack and start over, not to mention the complete lack of equivalents to a lot of Windows only software that's out there.
Even for individuals, it's often not reasonable to expect people to switch to a different platform and drop tools they've been using for a decade.
Those are not equivalent. Some businesses don't need tons of software, and can switch. Other businesses have not even started yet, and could avoid windows from the start.
An extra backup is cheaper than switching software stacks, sure. But you're stretching the hyperbole pretty far.
Interesting. But, from the article: “So far, researchers have only seen Tycoon targeting Windows in the wild.” That was my point. The article you link to is an example of how you can avoid ransomware by not using Windows.
