Browsing safely the Web from Linux on a VM after Windows 7 EOL

Topic

New Reply

I have Windows 7 Pro, SP1, x64 installed on a PC ca. 2011 with 8 GB of RAM and 750 GB HD, of which some 250 GB are still free. The PC has been patched thoroughly, Group B-style, to date, and shall continue to be patched in this way until the January 2020 EOL of the OS, or any time after that that MS decides to release patches, as it has done now and then for Windows xp.

After the Win 7 EOL, and probably much earlier than that, I would like to run Linux on this PC from a virtual machine.

When doing that, and particularly after the Windows 7 EOL:

(a) Shall it be safe enough for me to browse the Internet from inside the Linux on a VM, or shall I be as vulnerable as if I did it directly from the, by then, no longer being patched Win 7 OS?

(b) Would it help if I installed a good anti malware application for Linux also on the VM?

(c) And how about emailing?

Thanks in advance for any useful replies someone might choose to post in answer to this set of related questions.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Replies

If you are running Win7 as the Host OS, it is still connected to the Internet in the same way any PC is if you are using it without browsing the Internet or dong email. Any time you turn on the PC and see the Network Icon active in the taskbar tray, you are connected to the Internet (even when you are not browsing or doing email.) In other words, It’s like you were using the PC only for Office programs, say. So even you are not using the Internet “directly,” your PC is still exposed to it. So you have to continue to run anti-virus/firewall software on the Win7 Host.

The virtualization software you use provides a way for the Guest OS to use the computer’s hardware. For the Internet connection the virtualization software basically supplies a compatible driver and sets up a shared network connection for the Guest.  If you turn off the Ethernet card in the Host, the Guest also loses connections. For the Guest, you will need whatever security measures you would have if it were a stand alone computer.

In your situation, where you need Win7 to run specific programs, it would be safer to run the Linux as the Host and the Win7 as the Guest OS. That way, your active browsing and email are done on the Linux Host, and you crank up the Win7 VM to do whatever you need without direct use of the Internet.

I think the first thing you would need is to start using Linux, so you have a knowledge about that OS. You could set it up as a VM either on the Win7 or on the Mac. That way you would gain experience with VMs so you could learn what they are and do. You won’t gain a working knowledge of either by just asking questions.

 

6 users thanked author for this post.

des911, Klaas Vaak, RamRod, Elly, Microfix, johnf

Reply | Quote

1) Backup your PC before doing anything

2) You can dual boot (there are instructions on the web on how to install Linux for dual boot). The easiest way to do that is to buy a second hard drive (you can get an SSD 250 gig drive cheap), and install Linux on the new drive. This lessens the risk, and you get better performance with a real install vs a VM.

3) Disable the NIC card  in Windows.

4) You can enable internet access in Linux, but that does not mean you will be 100% safe. You should download Clam, and Clam-TK (the gui to Clam, which is a free antivirus) off of your Disto’s repositories. You don’t have to scan often, this is more for making sure files you get or give to others aren’t infected. Linux by design is difficult to infect unless you allow it.

Then, use No Script as well as UBlock Origin for ad blocking in your browser.

5) Practice  safe browsing (don’t go to sites that are likely to have nasties, like Porn sites or Russian music sites). Don’t open up holes in your firewall by using file sharing programs (speaking of firewalls, make sure your firewall is activated). Don’t install PPA’s or other programs not in your Distro repositories, unless you’re SURE they are safe (it’s safe to install Openoffice if you’re going to the actual website, for example).

6) Install patches …you may want to use Timeshift or equivalent (it backs up your OS, similar to System Restore in Windows) before you patch. You can patch at your pleasure but don’t wait too long.

7) Don’t run as root (use Sudo, or get out of root as soon as you can).

8) Emailing…Web emails (Google, Yahoo, Hotmail) work fine, for the most part. You may want to have a couple of browsers (I have Chrominum, Google and Pale Moon/Waterfox  installed…don’t like what Firefox is doing lately). If you need  local pop email, use Thunderbird, it’s stable and works fine.

9) Linux…you didn’t mention what distro. For new users, I recommend Manjaro (XFCE), Linux Mint (Cinnamon), MX 17 (XFCE) or Linux Lite (XFCE).

5 users thanked author for this post.

des911, Kirsty, Charlie, Elly, Microfix

Reply | Quote

@OscarCp, I would highly recommend, as @PKCano has suggested, having your choice of Linux distro as the Host OS and Windows 7 as your Guest OS. The beauty in doing this is, you can actually isolate Windows 7 from the Internet at EOL or any time, through the Virtual Machine (VM) and still use it for Windows programs. Then using a Linux email client can deal with your emails further down the progress line (it’s the best of both worlds on a PC)

If you are not experienced with setting up or using Linux, I would also suggest that you look at mainstream distro’s either Linux Mint, Ubuntu derivatives or Manjaro (as they have a good active support forums where you can get answers quickly)
First of all though, you need to establish which ‘type’ of Linux you like.
Only you can decide and there are LOTS of different distro’s out there but, for starters, here is a great resource for browsing through distro’s: Distrowatch to do some research.

When you decide on one to try, you can download it, check the ISO hash/ checksums against the authors website then assuming everything is good, flash to a USB stick or burn to a CD.

You can actually try these without making ANY changes to your current system by booting from either the USB stick or CD, just to get a feel of the distro you have chosen.

Security wise with Linux, 1st turn on the firewall then you can install from the repositories an AV as suggested by @johnf and also anti-malware (chrootkit/ rkhunter) to protect your host OS.

Windows - commercial by definition and now function...

2 users thanked author for this post.

Chessie, des911

Reply | Quote

I thank all of you for your detailed answers, which I hope will be really helpful to those that might want to visit this thread in the future.

Unfortunately, I prefer to have Windows 7 as the host and install Linux on a VM, simply because, unlike other people, I am severely allergic to messing around with the OS and, most particularly, with the UEFI, but still would like to continue to get as much out of my old Windows PC as I can, for the rest of its natural life.

I am not new to Linux (and FreeBSD), something that has given me a big leg up when I started using a Mac last year, as its OS under the hood is a variant of FreeBSD, a fraternal twin of Linux. I just don’t want to mess around with the OS that is already running on the Windows machine or with that PC’s UEFI. So it looks like I might do something I believe PKCano and some other here might be doing, and install Linux on a VM on my Mac, and use the Windows PC only for doing all the not-online things I need it for.

 

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

des911

Reply | Quote

you need to be using a 64bit Win7 as a 32bit/x86 version of Win7 may not work on UEFI based systems

2 users thanked author for this post.

des911, OscarCP

Reply | Quote

The host computer may have UEFI, but that does not mean the guest machine does.  In Virtualbox, there’s a checkbox for UEFI mode (listed as experimental in the UI), and if it’s not checked, it uses a BIOS (legacy) boot regardless of the configuration of the host PC.  Checking or unchecking the box after the OS is installed in the guest will almost certainly result in the guest OS being unbootable, so if you wish to use this option, do it during initial setup before the OS is installed.

Virtualbox has 32 bit and 64 bit VMs that can be created on a 64-bit host.  To create a 64-bit guest, the host PC has to be 64-bit and support Intel or AMD virtualization extensions.  The 32-bit VMs don’t require the VM extensions, but they will perform worse without them.

Other VM packages may vary, of course.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

des911

Reply | Quote

Curious, if you are dual booting windows 7 and Linux, why would you need to disable the NIC in Windows? Is it to avoid accidental internet connection when logging into Windows from Linux? I only use a wired connection and pull it when computer is sleeping.

Group L (Linux Mint 19)
Dual Boot with Win 7
Former
Group B Win 7 64 bit

Reply | Quote

Re: Dual Boot

Oscar had asked if he could use a Linux VM to browse, while keeping his Windows 7 system off the internet. I’m not sure you can do that using a VM, so I suggested using a second hard drive (easier to install linux into , instead of having to shrink your current partition) and dual boot.

So, he would have a disabled NIC card when he booted into windows, and the same card would be enabled when he booted into Linux, which should fill his requirements. In addition, he could use the Linux boot to help repair his windows side, should that get borked (though I supposed a Linux rescue usb would work as well…)

To be clear, this is NOT using a VM, so you wouldn’t be “logging into Windows” from Linux. This would be booting up the PC via dual boot, so if you chose Linux, you could “look” into the PC partition, but you couldn’t log into it. You’re booting either Linux or Windows, not both.

 

1 user thanked author for this post.

des911

Reply | Quote

Why run Linux in a VM? If it’s an old PC just run Linux direct, or run W7 and make regular image backups that you can restore if something goes awry.

cheers, Paul

Reply | Quote

I read about a Windows program that gives you some of the security benefits of running in a VM, but on native Windows.  It was in one of those “antivirus round-ups” that various sites or publications like to do.  The idea is that the PC would be booted as normal, then be used for as long as you wished before being rebooted.  The next time it was booted up, it would be restored to be exactly the same as it was the last time it was booted– so any malware that had infected the PC would be removed, along with any non malware-related breakage that may have occurred.  Any files the person had saved would also be deleted, so it would be a good match for a cloud drive of whatever flavor.  You could also use a drive that isn’t subject to the rollback, but there’s the possibility of malware hiding there at the same time.

If the user wants to make a permanent change, such as installing a new program, they can have the software set the new configuration as the reference point instead of rolling back.  Naturally, it would be safest to roll it back immediately before installing the new program, then immediately set that as the reference point.  Once that was done, any future rollbacks would be to that new reference point.

The article said that in their tests, the rollbacks were effective in reverting the deliberate malware infections the tester/author had put in there.

If it is indeed reliable, a program like this would be a great match for a Windows 7 post-support.  Any malware, known or unknown, would be removed, possibly before the PC owner/user was even aware of it.

Does anyone remember the name of the product from the description, by any chance?  I wish I remembered more product names to go along with the descriptions, but this was several years ago.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

2 users thanked author for this post.

des911, OscarCP

Reply | Quote

Sounds like Faronics Deep Freeze.

https://www.faronics.com/products/deep-freeze/enterprise

Group L (Linux Mint 19)
Dual Boot with Win 7
Former
Group B Win 7 64 bit

4 users thanked author for this post.

JSTechGeek, des911, Ascaris, MrJimPhelps

Reply | Quote

From: YP ; Old unix user for 10 years, back 18 years ago.

Systems: Group B Win7 starter, home, pro; chrome book

I’ve had my chrome book for a couple of years now and I really like it.  In September, I finally installed Ubuntu 14 (testy) on my chrome book.  The nice thing about chrome books is that you can have both OS on the same system.  I believe both OS is running side by side and is not a VM.  Anyways, I’ve been using Libreoffice and wine to use portable windows application.   Even with previous experience with Ubuntu in live boot, it was still a rough learning curve.  My personal opinion: As a user, Linux is not that hard to get use to; however, as a system admin, it is quite different from windows.  To add applications is not the easiest.  I found that I had to search online to find correct depositories to get the specific version of Libreoffice.  I’m pretty happy with my current set-up.

Where am I going with this?  Well, I have my eyes on the lastest mid to high end chrome books.  In theory, you can run native Linux apps in native mode, which is what wine does.   I’m thinking that I can install virtual box on it also.  I’ll probably get myself a refurbish win10 machine sometime late next year.  My personal road map and saying good-bye to windoes BS!  BTW, I don’t agree with comments about chrome/google spying on you.  Myself, I use DuckDuckgo for search, ublock and umatric.  I have 1 account for my chrome book in which I turn off location history, etc.  Yes, google get some info but not a lot.  At least that’s what I think.

2 users thanked author for this post.

des911, Klaas Vaak

Reply | Quote

Anonymous ( #225630 ) you have written:

“ In September, I finally installed Ubuntu 14 (testy) on my chrome book.  The nice thing about chrome books is that you can have both OS on the same system. ”

This sounds interesting. Could you explain it a bit further?

For example: do you mean to say that this is not the same as when installing Ubuntu in “dual boot” with Windows, that require making modifications to the BIOS or UEFI as well as partitioning the hard disk differently, but something simpler and more direct than that? If so, what is it like? For example, is installing Ubuntu (or some other Linux distro?) on a Chrome notebook the same as installing just another application on the native Chrome OS?

Or something else altogether?

Thanks.

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I am adding this writing to my previous entry, because, having just looked up on the Web this issue of running Ubuntu  on Chrome, I also found something I had not looked up previously: that all the Chromebooks have, it seems, only these tiny sub-13 inch screens. That is also the size of the screen of what might be the priciest of the lot, at well over 1000$, Google’s Pixelbook, an otherwise reasonably equipped higher-endish machine under the hood.

And the cheaper ones come with tiny hard disks (by today standards). So they do not impress me as particularly useful or convenient for serious computer work. Maybe good enough for the consumer mass market, which seem mainly design to satisfy… except for those tiny screens. Why would anyone bother to buy a laptop with such a small screen? Because it is larger than a cellphone’s screen? Well, OK, there is that.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I’ve seen larger Chromebooks than that.

As far as “serious computer work,” it all depends on what you mean by that.  Chromebooks are not meant to be full-functioned general purpose computers.  They’re a quick and easy way to get someone on the web with Chrome.  That’s all many people need, and for that role, they’re a lot less of a hassle than a Windows PC.  Why put up with all of these problems we discuss here in Windows 10 if all you want is a browser on wheels?  That’s the target market of Chromebooks.

Chromebooks have their own firmware too.  It’s meant to be used with ChromeOS, and it’s customized for that purpose.

You don’t need to be so afraid of UEFI.  It’s just BIOS updated to a more modern technological standard.  A lot of people speak of it as if it was some demonic thing that exists to wreck your day, but it’s not.  Unless the PC in question uses a particularly buggy or otherwise defective implementation (which would mess you up in any case, even if it was not UEFI), it’s not some can of worms that can’t be figured out.  I’ve used various implementations of it on Sandy Bridge, Ivy Bridge, Braswell, Kaby Lake, and Apollo Lake, and it’s never been a problem.  It’s a little bit more involved in some areas (depending on the implementation), but ultimately, any problems you have are fixable, and once they are fixed, you can just forget about it and use the device from then on.

Of course, if you wish to avoid it, that’s your prerogative, but you’re limiting a lot of your options for fear of a problem that has not even happened and may not ever happen.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

2 users thanked author for this post.

Klaas Vaak, OscarCP

Reply | Quote

Thanks, Ascaris. As to:

” You don’t need to be so afraid of UEFI.  It’s just BIOS updated to a more modern technological standard. ”

See, the problem with me, on this particular, at least, is that I am equal-opportunity allergic to fiddling with any firmware that, among other things, pulls in the OS to start the show, so to speak, and that could be extremely bad (again, for me) to mess up, be its name UEFI or BIOS. Never in my, by now really quite long life, I have done anything of the sort and yet, surprisingly perhaps, here I am. So I much rather wouldn’t start now… and that’s the long and the short of it.

As to the size of the disk and the screen: besides doing things on the Web (but not on the Web as “Cloud”, except for using the AV for malware scans and using search engines to find out things both technical and not quite so, but I think I need) I do a lot of rather large and complex software development and much of it from the command line, be it DOS or Linux/FreeBSD/macOS/Unix. It involves reading, writing and manipulating large files  (GB-class, some times) and up to an hour of number crunching and IO. That is, at least in my, as you probably know by now, not very humble opinion, what I consider to be “serious computing.”

But I also must thank you for explaining and so making it clear something I don’t remember has come up at Woody’s (or if it has, I missed it): the patching and upgrading of Ubuntu and Mint.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

From:@YP

OscarCP, Chrome books has a “linux” kernel. In developer mode, you can install Ubuntu versions, up to the latest. Once linux is installed:

– boot into chrome OS
– open up a shell window, type 2 commands and you are on the linux side.
– roughly speaking, you swap windows for chrome or linux side

I bought my low end chrome book, 14″ refurbish for <$150 including tax. It only has 16Gb SSD. I put in a 128Gb SD class 10 for all my files; I don’t use google drive much. I’m not a cloud person. With chrome OS + Ubuntu V14, I have about 5-6Gb left on the SSD, which is not a lot compare to PC or Mac. However, a lot of users, use their PC for web surfing, online stuff, and a handful of windows applications. This is where I think the chrome book shines. Personally, I will always have a window machine around for usage; I definitely will keep my Win7 as long as possible and bite the bullet for a win10. Myself, the only windows apps I use are gimp, avidemux (basically picture & video editing), Libreoffice, and windows utility programs. So basically, my current chrome book allows me to do most of what I want. I don’t have to hassle with windoes updates. Also, people who want to migrate to linux, hoping to avoid windows hassles, should really try linux first. My understanding is Linux Mint does not allow you to upgrade to higher version; you have to install a new version. Ubuntu, in theory allows you to upgrade to higher version.

Additionally, 13″ screen is really not that small. I find on my 14″, all the text on the browser in less than 14″. In summary, chrome book is not for everybody. One needs to see how they really work on their machines. I think you will find more than 50% of the time is spend using a browser.

Sorry for long post, I’ve read your postings and I really appreciate your no nonsense comments.

3 users thanked author for this post.

des911, Klaas Vaak, OscarCP

Reply | Quote

anonymous wrote:

My understanding is Linux Mint does not allow you to upgrade to higher version; you have to install a new version.

Mint upgrades are possible most of the time.  The minor updates (18.2 to 18.3, for example) can be done from the Mint Updater by selecting the option that will appear to upgrade to the newer version.

Updates that change a full version number (18.3 to 19, for example) are more involved, but they are usually possible.  One that was not possible was when the KDE version of Mint was upgraded from KDE 4 to KDE Plasma 5, which apparently was too much of a change for an upgrade to work.

Full number upgrades in Mint (which change the package base from one Ubuntu LTS base to the next) use the command line, and Mint devs warn that it is not a process that beginners should be performing. Their site gives step by step instructions on how to do it, and you can usually just copy and paste the commands they give and it will work quite well.  Sometimes there is a package dependency issue or a failure to install something that the upgrade program can’t fix, and that’s when the beginner would be in trouble.

I’ve upgraded Mint from 17.3 to 18 and 18.3 to 19, and they all worked perfectly afterwards.  I did have a few dependency issues to correct during 17.3 to 18 upgrade on one of my PCs, but it wasn’t too hard to fix.  Back then, I did not have a great deal of Linux experience, but I did with Windows, so while I didn’t know offhand how to fix the issues when they occurred, I was able to understand (generally) what the error messages were telling me, so I was able to figure it out, with the help of whatever search engine I was using then.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

5 users thanked author for this post.

des911, Charlie, anita.yk, Klaas Vaak, OscarCP

Reply | Quote

From:@YP

Thanks Ascaris for the info regarding Mint version upgrades, I only did cursory look at various distributions.  I had tried Mint, which I do like before settling on Ubuntu for testing/tryout.  Also, Ubuntu is what I can install on my chrome book and allows me to test Linux in native mode, instead of using VM.  I was able to try unity desktop and xcfe, which I’m feeling comfortable with.

I have read your postings also, and I do appreciate you sharing your knowledge.

Reply | Quote

I’ve gotten some good info. reading through these posts.  Seems that Linux is not super safe and secure OS I had been led to believe.

I noticed in post #225459 it mentions a Firewall.  I have Linux Mint Cinnamon 17.3 and I can’t find any firewall.  Do I need a later version or can I download a firewall?

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

Charlie: sudo ufw status, password. If off, sudo ufw enable, password. Restart, check with sudo ufw status. Download GUI from Software Manager, type in ufw in search box, and you will see it. Easy to check then – you won’t need command line to check – and it should stay on permanently. Accept the defaults, so just have it set at On. Deny Outgoing means deny all outgoing that I have not initiated.

2 users thanked author for this post.

des911, Charlie

Reply | Quote

It depends on what you mean by a super safe, secure OS.  If you mean that it’s close to invulnerable, so you can forget the principles of safe computing and throw caution to the wind… well, it’s not that.

Nothing is invulnerable, but those OSes that come the closest are among those I desire the least, personally– iOS being the paragon example.  It’s so locked down that there are few footholds for malware to wriggle its way in… but on the bad side, it’s so locked down that I’d end up frustrated and work to break the lockdown myself, no malware needed.

With a real desktop OS like Windows, MacOS, or any of the various Linux distros, you have a great deal more power than that, and along with power comes risk.  While a modern Linux distro is not invulnerable by any means, it’s still quite good right out of the box.  Security holes are typically patched within hours, and those fixes are rolled out immediately, with no waiting until the next Patch Tuesday.  The attack surface is smaller, without deeply-embedded “features” like Internet Explorer and Cortana that can’t be removed and that could provide a direct conduit from the application level to the kernel, should there be a vulnerability discovered.

Linux distros also have an embedded privilege system that prevents rogue applications (or individuals) who don’t have root permissions from doing much harm.  Windows has tried to replicate this with UAC, but it’s dragged down by the Windows XP “everyone is administrator” legacy, where many popular programs required admin rights to work at all.  XP hasn’t been current for a while now, but the tacked-on nature of UAC (first seen on Vista) is still apparent, and many users continue to regard it as an annoyance (which it is, really) and disable it.  Using it is still more annoying and klunky than it needs to be in many areas, and it seems to be a result of Microsoft’s attempts to dumb everything down to not frighten neophytes with too many options.

Linux distros are much more clear about such things.  Using Linux, I know I need to elevate for certain operations.  It’s been baked in from the beginning, so all the applications written for Linux are well aware of the difference between application (user) level privileges and root level privileges.  Running with user privileges instead of admin (root) privileges stops the large majority of malware attacks, and Linux IMO does that far better than Windows.  Even all these years after Vista arrived, UAC still feels klunky and as tacked-on as ever, and that leads people to disable it.  Somehow UAC manages to get in my way more in Windows than Linux privilege escalation prompts do, even though the Linux ones ask for a password and the Windows one just asks for an OK by default!

Linux isn’t immune to malware, but it does benefit from being a small target.  If you’re going to write a bit of malware aimed at users, are you going to target the OS that runs on 2% of desktops or the one running on 90% of them?  It doesn’t take 45 times the effort to write a Windows malware than it does to write one for Linux, but you automatically get 45 times more potential victims in Windows.  Windows users are also more likely to be basic users who don’t understand risk (and often they don’t want to) than Linux users, though that would change if Linux ever caught on in a big way.  Windows is the obvious target, and MacOS is a distant second.  Linux is not even on the radar as far as most desktop attacks are concerned, even though I’d bet my bottom dollar that most of the miscreants use Linux on their own machines.

In the IoT world, of course, things are different, and Linux is definitely targeted there, as it is a dominant player.  Any software can have a security hole discovered, and the Linux that runs most consumer routers, for example, is no exception.  They need to be updated when exploits are discovered, and consumer router manufacturers have been spectacularly bad at actually doing this.  I am using a router right now that has not seen a factory update since (I think) January 2012, about seven years ago!

It’s still a decent router, and later revisions of my model are still listed as current products on the Netgear site (with the latest firmware from January of 2018), so it’s by no means obsolete.  It doesn’t stop its maker from completely abandoning their customers still using perfectly usable but older revisions of the same product, leaving them vulnerable to any number of threats that may exist.  Fortunately, it is a popular enough model that there are open-source firmware images available, so I am up to date– no thanks to Netgear.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Charlie

Reply | Quote

Linux has always had a firewall built-in.
https://opensource.com/article/18/9/linux-iptables-firewalld

cheers, Paul

1 user thanked author for this post.

Charlie

Reply | Quote