Linux Security

Has Linux Been A Victim of Its Own Success?

Matthew Hughes 13-10-2015

Jim Zemlin is the head of the Linux Foundation. Their mission is to “promote, protect and advance Linux”. So, why did Jim recently say that the “golden age of Linux” might soon come to an end?


The answer to that lies in the ability of the Linux community to cope with security problems. It turns out, it’s harder than you think.

A Flurry of Security Problems

The past 48 months have been brutal for Linux. That isn’t hyperbole. Major security vulnerabilities have been found in almost every single distribution, with serious consequences for end-users.

The one with the most notoriety was Heartbleed. This vulnerability impacted OpenSSL Heartbleed – What Can You Do To Stay Safe? Read More , and made it possible for an attacker to read the memory of vulnerable server and steal the secret keys used in asymmetric encryption.

This, as you might expect, fundamentally undermined the integrity of online encryption. At the time, millions of systems were at risk. To this day, it’s estimated 200,000 systems are unpatched.

Then there was Shellshock. This was another serious vulnerability, this time affecting the BASH shell. When exploited, an attacker could execute their own malicious code on vulnerable OS X, BSD and Linux systems. We wrote about it last September Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux Read More .


Finally, there’s the Linux GHOST vulnerability The Linux Ghost Flaw: Everything You Need To Know The GHOST vulnerability is a flaw in a vital part of every major Linux distro. It could, in theory, allow hackers to take control of computers without the need for a username or password. Read More . This was as nasty as the other vulnerabilities in terms of the amount of systems it affected, and the potential for abuse that came with it.

The GHOST vulnerability was a buffer overflow found in glibc, where a remote attacker could send a carefully crafted packet containing a shellcode payload, which would be trustingly executed by the vulnerable system upon receipt. This would have allowed an attacker to execute their own arbitrary commands, without even a username or password.

Budgets and Volunteers

This wasn’t an exhaustive list. As Zemlin pointed out, but each vulnerability has something in common. They all impacted significant Linux components which were suffering from a shortage of funds, or a shortage of volunteers.

Take OpenSSL, for example. In the months leading to the discovery of Heartbleed, it had received less than $2000 in donations. According to Zemlin, for a long time it was being maintained by two volunteer developers. Coincidently, both of whom were called Steve.



NTPd – which is responsible for ensuring all Internet-connected Linux computers are on time, and is vital for encryption to work – is being worked on by one part-time volunteer. Bash and OpenSSH are in similarly dire straits.

Meanwhile, the Linux Kernel is flush with funds and volunteers, and is supported by some of the biggest names in technology, like Red Hat, Google, and even Microsoft, albeit not for long. There’s a huge inequality with the allocation of resources, with some core Linux components better off than others.

It used to be the case that Linux could depend on being secure through obscurity. But as it’s increasingly used as a server and desktop OS, it can no longer depend on that. Linux is now an incredibly lucrative target for hackers, and other digital ne’er-do-wells.


The entire Linux community has to make sure that the small, but often forgotten parts of the OS are sufficiently funded, staffed, and able to deal with security threats as they emerge.

Linux’s Successor

But if these changes fail to happen, and the fundamental security of Linux is brought into question, it seems all but certain companies and users will move elsewhere. But where will they go?


The motto of OpenBSD is “Only two remote holes in the default install, in a heck of a long time!”.

It’s true.


OpenBSD was founded by Theo De Raadt in 1996. It started life as a fork of NetBSD, after the notoriously fiery De Raadt was kicked out of that project due to “personality differences”.


Since then, only two remotely-exploitable vulnerabilities have been discovered in OpenBSD. This is a negligible sum, compared to Linux, Windows, and yes, NetBSD.

That’s no accident. OpenBSD is designed from the ground-up to be secure. Each line of code is meticulously audited for bugs and security flaws, and developers have to abide by strict secure coding guidelines. Crucially, it’s small, and comes with a reduced amount of software packages in the default install, thereby reducing the number of potential attack vectors.

Although OpenBSD is obscure, many of its components have found success in other operating systems, like OpenSSL, OpenNTPD, and the PF (Packet Filter) firewall.

This “security by design” ethos is appealing to companies who are eager to avoid embarrassing security breeches, and users who are looking for a more secure computing experience.

For a more detailed comparison between Linux and BSD, check out this piece by Danny Steiben Linux vs. BSD: Which Should You Use? Both are based on Unix, but that's where the similarities end. Here's everything you need to know about the differences between Linux and BSD. Read More .

Windows 10

I know. Endorsing Windows 10 and suggesting Linux might have hit its peak is almost like signing my own execution warrant. At the very least, it’s certain to provoke some angry comments.

But although some might not like to admit it, Microsoft’s immense wealth gives it a relative immunity to some of the problems Linux faces.

If a severe vulnerability crops up in a vital part of Windows 10, for example, there’s no question Microsoft would have the available funds and manpower to deal with it. Microsoft don’t have to rely on the motivation of individual volunteers. They’ve got dedicated, paid employees.


Although Windows’s track record in all-things security is up for debate, Windows 10 is a vast improvement on previous versions, and has been touted as the “most secure Windows ever”.

But even if that’s not the case, it’s easily the best Windows ever. With its revamped aesthetic 10 Compelling Reasons to Upgrade to Windows 10 Windows 10 is coming on July 29. Is it worth upgrading for free? If you are looking forward to Cortana, state of the art gaming, or better support for hybrid devices - yes, definitely! And... Read More ,improved browser How to Set Up Microsoft Edge, the Default Browser in Windows 10 Microsoft's new Internet browser Edge made its first appearance in Windows 10 Insider Preview. It's still rough around the edges, but sleek and fast. We show you how to migrate and set it up. Read More , and Cortana Cortana Arrives on the Desktop & Here's What She Can Do for You Is Microsoft's intelligent digital assistant as competent on the Windows 10 desktop as she is on Windows Phone? Cortana has a lot of expectation on her shoulders. Let's see how she holds up. Read More , it’s a joy to use on both the desktop and the tablet How Well Does Windows 10 Work on a Tiny Tablet? Windows 10 is taking the devices of disgruntled Windows 8 and curious Windows 7 users by storm. The PC experience is great, but how does it perform on small screens? Matthew tested Windows 10 on... Read More .

Despite that, the thought of using Windows 10 might be a little too unpalatable for many Linux users.

Is There Any Hope For Linux?

The Linux world has a major problem. How can it ensure that the significant, but often neglected components of the OS are sufficient resourced? If this isn’t fixed, then you can all but guarantee Jim Zemlin’s predictions will come true, and Linux will enter a slow and unstoppable decline.

But what do you think? Is the end nigh for Linux? Or will it survive? Let me know what you think in the comments below.

Photo Credits: omihay /, Glass Jar (Lemon Tree Images)

Related topics: Computer Security, Linux.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. nigra
    January 23, 2017 at 9:09 am

    As a Linux admin, I'm not worried one bit. It is more a testament to the openness of Linux than to the insecurity. You fail to mention that Microsoft has for decades worked hard to lie about security holes, denied them and then tried to sweep them under the carpet, lest it damage the reputation of their fair OS.
    Well, in security, full disclosure works best. All the mentioned holes are already fixed, long ago. Any then many of them, on closer inspection, are not easy to actually exploit, this often the reason that they are not fixed in a frantic way. But knowing about them is important, I was easily able to secure my systems, none was exploited, or could have been, as Linux offers a ton of ways to harden security.

    Before claiming that BSD has magic code that is super secure and can never be hacked or exploited (no software or OS to date can claim that without telling a lie), you might want to mention that BSD lives in the bubble of software rarely used, as only a tiny percentage of all systems run it. That makes for a system that nobody wants or tries to exploit, much less report security holes on.
    And quoting Windows 10 as a secure alternative to Linux???? Really?
    Do you read news? Last time I checked, Windows is the OS that is struggling with Crypto Trojans, not Linux. And this, considering that Linux Server would be a very profitable victim for this type of attack, as they are generally larger than their Windows counterparts (Linux scales better), but no such exploit and the resulting damage has ever been shown on a Linux system so far.
    When considering how much Linux is used of all OS and how little viruses and concrete damage cases it receives, it shows that it is indeed a very secure OS and discovering and fixing these holes mentioned in the article above (and all the other vulnerabilities reported in the last 10 years) make it even more so.

  2. Bert
    January 28, 2016 at 7:47 pm

    touted as the “most secure Windows ever”. ...Would that be because they are to busy spying on you for anything else to get by?

    • Matthew Hughes
      January 28, 2016 at 8:36 pm

      Ha, I'm not sure that's how it works dude. :)

      • bert
        January 28, 2016 at 11:12 pm

        Just being an ass, sadly though the telemetry, data mining crap is out of hand, and i have always been a Win user but i am put off and toying with linux mint.

  3. Anonymous
    October 18, 2015 at 3:07 pm

    What I got from this article; We should be funding the Linux Foundation more!

    • Matthew Hughes
      January 28, 2016 at 8:34 pm

      That was the intent, for sure.

  4. Anonymous
    October 14, 2015 at 1:15 pm

    In Windows, a program running in user space can bring down the entire system. This security flaw has been part of Windows for so long that it has become a feature. With $millions supposedly dedicated to fixing any problems, Microsoft has been either unable or unwilling to fix this particular problem for decades. With the amounts of money and the number of programmers M$ can throw at problems, Windows should be the most solid and secure O/S in the world. Unfortunately, it isn't, by a long shot.

  5. Anonymous
    October 14, 2015 at 2:24 am

    Not sure your recommendation of Windows is fair. Microsoft does have the funds to make Windows very secure, but they will never use their wealth for that.

    Windows exists solely to make profits for Microsoft executives and shareholders. They don't care about you or your security as long as they can make money ignoring it. If you give Microsoft $100 then Microsoft will have $100.

    Linux is a community effort with many people contributing, it isn't simply about turning a profit. If you donate $100 towards Linux, then $100 will be spent making Linux better.

    • Anonymous
      October 14, 2015 at 7:11 pm

      Kind of a blanket statement there. I'll never be accused of defending Windows executives' and shareholders' percs and bonuses and outrageous excesses in more than I'll turn the page to the just-as-thick Apple chapter...but to say, "Microsoft does have the funds to make Windows very secure, but they will never use their wealth for that"?

      That's brought on by tunnel vision love of one and only one OS. I don't share that rabid devotion because I see good points in all OS's. Windows happens to be my choice because Windows does exactly what I need it to with no issues, no smoke and mirrors, no jumping through hoops. And one steadily-improving facet of Windows is the built in security (Defender). It is worlds better than it used to be, and it updates daily on my machines. I like it so much in fact that I've dropped Avast! and Spybot, my two previous go-to's. Say what you will, I don't have security problems.

      "Windows exists solely to make profits for Microsoft executives and shareholders. They don’t care about you or your security as long as they can make money ignoring it. If you give Microsoft $100 then Microsoft will have $100."

      I see the point you're trying to make, the emphasis on avarice there, and to a point it's true as with all for-profit organizations. But if it were 100% true as you fervently believe, then there would be no free Windows 10 upgrades today ad infinitum. Yeah, you can still buy all the Windows products you want to now and from now on, but you don't have to pay one red cent to get Windows 10, you don't have to buy the app store apps, you don't have to give Microsoft any money whatsoever because there are many other free programs that run under Windows 10 that do the same thing.

      And Microsoft has actually saved me money with this free upgrade from my previous Windows 7 setup...the laptop I'm using right now, after updating, is faster and lighter-acting than the day I bought it in 2012. I can forget the Christmas laptop gift to me I'd been contemplating, now. :)

      If you really truly believe that people in the position to skim money from Linux development AREN'T...then you're just as naive as what you perceive Windows users to be. That's a laughable image...only honest people work toward Linux development.

      It's rare that Linux fanboys inspire me to comment, but sometimes enough gnats bite that you finally swat, you know? How is it that if Linux is so universe-saving, why does it have to be so hyper-sensitively defended at the end of every single article that picks a scab on Linus Turdvald's baby's knee?

  6. Anonymous
    October 13, 2015 at 5:51 pm

    "...avoid embarrassing security breeches..." *Breaches*; "breeches" are trousers. :)

    • Matthew Hughes
      October 13, 2015 at 6:09 pm

      Breeches are always embarrassing. Just more of a fashion faux-pas than a security problem.

  7. Anonymous
    October 13, 2015 at 5:39 pm

    How come heartbleed is a major problem for linux, but not for OpenBSD? Tell me what SSL library they were using prior to heartbleed. Exactly.

    Yes they forked it *after* heartbleed, but it kinda proves you are either uninformed or severely biased.

    • Matthew Hughes
      October 13, 2015 at 5:46 pm

      "How come heartbleed is a major problem for linux, but not for OpenBSD?"

      I never said it wasn't.

      The point wasn't about the architectural security of Linux, although OpenBSD is undeniably more secure by design. It was about how peripheral components in most Linux systems are managed, staffed, and funded.

      • Anonymous
        October 13, 2015 at 6:06 pm

        Well... openSSL was also a peripheral component for openBSD, so I really don't see the point you're trying to make.

  8. Anonymous
    October 13, 2015 at 4:19 pm

    Linux is a kernel. Other software runs on Linux, but in many cases that software also runs on anything else with a *nix heritage. Don't blame Linux for Heartbleed. Heartbleed is a vulnerability in an admittedly widely used userspace application. That's like blaming Windows for how crappy Adobe Flash is.

    With regard to OpenBSD: Yes, it's secure. Development work also proceeds at a snail's pace and changes outside some aspects of its security are largely immigrants from other *nixes, probably most notably FreeBSD. *BSD-derived OSes mostly need source code access to build software for your platform and specific OS, which means depriving yourself of some commercial software like Google Chrome or fully functional ATI/nVidia graphics drivers. I've worked on UNIX systems to some degree since I was a kid, but that's not something I'd want to throw at a non-technical user. FreeBSD, on the other hand, has Linux binary compatibility. This undoubtedly decreases its own overall security, but it also means a much greater level of software support. Were I to put forward another *Nix, it would be FreeBSD.

    Since the author appears to be suggesting Windows as a Linux replacement, there are a few reasons why it doesn't work or even play in the same space that Linux does. Linux doesn't (have to) cost money. This makes it ideal for things like server instances that might need to be rolled out on extremely short notice. There's also a huge degree of institutional know-how for managing vast numbers of *nix systems through well-understood scripting systems. Microsoft has Powershell and Windows Server Core editions that can be made to work that way, but those things are new and not all that well-understood. Using Windows also means dealing with not just licensing headaches but also a lot of other Microsoft software (Probably Active Directory and System Center Configuration Manager, if you have enough computers) and weird behaviors that come from security software. Those changes require a whole different set of skills and infrastructure that might not be appropriate in the places people are currently using Linux.

    Windows as a desktop? Sure. Whatever. The people who need *nix systems are going to SSH in to the machines they need to work on anyway. Desktop Linux is sufficiently rare that it probably doesn't even warrant an article.

    • Anonymous
      October 13, 2015 at 5:52 pm

      "Linux is a kernel." Fine; blame the distros for not security auditing the components they borrow.

      • Anonymous
        October 13, 2015 at 6:19 pm

        @Howard Blair,

        Yes, exactly.

        Security audits of decades-old code isn't really very sexy work and might not be a great allocation of resources for an organization providing a modification to open source software, but this stuff is so widely distributed and used that if a major player like the US government, Apple or Oracle had found the problem, it in theory the fix should have been contributed and the problem patched out of existence. That didn't happen, possibly because no one is doing that basic work and possibly because the people who ARE doing that work aren't contributing their fixes to the main branch of underlying code.