Wednesday, November 26, 2014

Fedora Linux: The Safest Operating System on the Planet

(Image credit:

Computer Viruses cannot mount an attack on Fedora Linux.

It's a simple fact that millions of Windows users don't know.  In fact, largely, they don't care.  They assume an operating system, like Microsoft Legacy (x86) Windows, comes with AV software to handle the job of fending off viruses as being 'normal'.

Truth be told, it isn't normal.  And whether or not your AV Software catches a virus can be 'hit or miss' and a matter of timing.

I'll get to why Windows gets infected and why Fedora does not in a minute.

How AV Software Works

AV software relies on the fact that every virus will have its own exploit characteristics and the exploit code that invades your PC has it's very own unique CRC 'fingerprint' that when scanned for and compared to a database of 'known exploits' will get a match on that CRC value, which is a unique check sum number.

The problem with that approach is that some of the more clever viruses once they have compromised your system, intentionally alter their own executing code's CRC value on even an hourly basis so as to avoid detection against an AV database which might update only once a day if you are lucky, or worse, once every several days.

And they effectively sit on your system undetected, flying below the radar of your AV software.

Aged Windows NT Kernel

Even today with the very newest Microsoft Windows 8.1 (x86), the WinNT kernel is the same as those going all the way back to Windows 2000.  That's right.  The same.

Microsoft's large base of installed Enterprise systems are running on that kernel and any major redesign would cause hurrendous interruption of service, which simply cannot happen.  So, they continue with their haphazard patch Tuesday sending out updates to known exploits -- that's ones which they 'officially' have taken corrective action on, and doesn't include zero-day exploits.

Zero Day Exploits Prevail

Zero Day Exploits is another matter entirely.  These are exploits which can attack vulnerable unpatched Windows systems for which there is no official fix available.  The wild is filled with a 'black market' for writing Zero Day exploits which sellers sell to criminals who are intent on circumventing your PC on the promise that a Zero Day exploit will be effective.

Around the World, Windows PCs by the millions are prey to attack and this has become quite profitable for a syndicate of criminals intent on parting you from your money.

Such exploits include RansomWare, which is perhaps the most prevalent and pernicious type of virus.  If a successful attack is mounted against your Windows PC, said RansomWare quietly encrypts your hard drive, then puts a private key lock on it, and, only then, notifies the end-user that their PC is locked until they make payment.  It's become like shooting fish in a barrel and the software is now sophisticated enough to even offer the added convenience of payment by Credit Card!  Nice touch ey?  Terrible.

Windows Security is Not Assured

So, you see, running AV on Windows will not guarantee your PC will remain virus-free.  Nope.  Really, from my vantage point, there's nothing that can stop a successful exploit.

Other attacks include Drive by download where the user visits a legitimate website (which is compromised) and by merely going to your 'favorite' website, it can trigger a silent download from your browser a Javascript tag injection of DLL code which then runs unchecked on Windows.

Policing the Kernel's Actions

Unchecked.  The prime defect in WinNT, the aged 2000 kernel, is that there is NO 'third party' policing of what actions are taken by the kernel itself.

Imagine there being a police officer on sentry 24x7 who not only checks the actions taken by your favorite Application, but also those actions spawned by said Application to the kernel to perform specific system functions.

It is at the instant that an Application spawns a SYSTEM call to the Windows kernel (by the injected DLL of a Javascript attack) that a 'third party' should step in to investigate the discrete granular action being taken.  It simply doesn't happen.  The DLL injected code runs and exploit code at this point can perform any SYSTEM related administrative function.  No one called the police.  Your system is owned whether you know it (RansomWare) or not (SpyBot).

Linux Security Modules - A Better Design

Unlike the flawed design of Windows' WinNT kernel, Fedora Linux comes installed with a 'third party' Policing agent -- generically speaking it's called a 'Linux Security Module', specifically the module that is running is called SELinux.

It is this 'policing' aspect of SELinux that sets Linux apart in design and safety from Microsoft Windows.

Any software design which produces an unintended side effect that the software designer never intended to have happen as part of the feature set of a given Application is a 'bug'.  It is also true, that viruses exploit such a bug to induce the Application to behave in an unintended way.  The goal (induced side effect), is to escalate and gain access to the core SYSTEM function API.

SELinux, when your PC boots, binds to the Linux kernel and then makes a 'hook' into the kernel.  This 'hook' is a pause in execution by the SYSTEM at which point SELinux gets the opportunity to approve/deny what the kernel wants to do, BEFORE, execution can happen.  There is no getting by the 'hook' and so anything which is deemed not part of a normal 'policy' for the application which spawned a child SYSTEM call gets a 'deny'.

The exploit simply is stopped cold in its tracks.

So, this was necessarily verbose.  I apologize.  But it is hopefully clearer to you now why I endorse using Fedora 21 Workstation, because it is truly safe and viruses cannot mount an attack.  Ever.

Get Fedora 21 Workstation Prerelease for free (general release December 9, 2014) today, here.

Fedora Linux: The safest operating system on the Planet.

I stake my reputation on it. -- Dietrich


Post a Comment