First, we have to establish the context. The Internet itself is insecure, and it cannot be made secure. Even if you made your computer or your information cryptologically secure, you cannot prevent physical access to your computer or your person. Should the powers that be (government, corporate or criminal) determine to have your data, they will get it, or take your life instead. Quite often they will settle for simply gaining some measure of control over your system even as you have your hands on the keyboard. This is something easier to prevent.
There are things which can mitigate the risk. Those same powers that be are limited. They are limited in manpower and talent. Precious few are the truly talented computer experts they can hire, not only because there is a limited supply, but a great many of them are unwilling to work for those three entities. The simplest reason is those tend to be run by psychopaths, and psychopaths require a type and degree of control which the most talented of people seldom can tolerate. So there are a very large number of lesser talented people they hire, ranging all the way down to useless-but-loyal. The threat is mitigated by overwhelming size of the victim pool against a tiny pool of talented attackers.
In other words, the likelihood of you provoking sufficient interest from them that they would actively attack you, is tiny. They rely on automation, which has distinct limits. It relies on the vulnerability of the victim computers on the virtual level. This requires a high degree of expertise by them in crafting attacks which can’t be resisted, or which human behavior patterns indicate won’t be resisted. The latter is simpler and cheaper by far in terms of return on investment.
So the greatest threat to your computer security is the profit motive. Not all profit is measured in terms of currency, but each of those three primary threats are seeking profit in some way at your expense. They seek control over your computer and the data on it. You are seeking to raise the barrier against low-level threats requiring little effort from them, yet staying below the radar of more serious threats from a directly targeted attack. Your greatest weakness is ignorance.
For most Windows users, you are simply not permitted to know too much about securing your system. Thus, even if you have plenty of money to invest in computer security, and an honest supplier, it’s only as good as the underlying system itself. Windows is inherently less secure than any other system, because the fundamental design philosophy is aimed at something else. Microsoft feels compelled to play nice with corporate partners and governments, and against the common user. The user is not the primary customer. Criminals invariably find the same hidden entrances to your computer reserved for corporations and governments. The playing field is tilted against you. It’s not impossible to have good security, but with Windows the gap between default settings and high security is very wide, and often quite expensive to bridge in terms of third-party protection measures.
The path to greater security is highly obscured, actively hidden by Microsoft beyond a certain minimal level. You have to be a member of the club, pay the high fees for access to the official source of information, and agree not to divulge it under very heavy financial threat. The inner workings are very tightly guarded from you also by a significant wall of commercial advertising. The average user is constantly assured by the governments, corporations and criminals, too: This is as good as it gets. Those corporations include the ones which dominate the public information franchises. Breaking out of this matrix requires breaking strong taboos in the global merchant culture. It requires a significant bad experience, along with a general public sense of malfeasance in the entire ecosystem, for people to being seeking change.
The real issue is not superior technology, but different technology, a different approach to the basic questions of what computers should do. The Open Source approach is different from what everyone else expects. It is a matter of human cultural factors broad and subtle. Computer security is more about humans than their computers, but it’s a complex matrix of the humans involved on all sides of the virtual world — the users, the developers, the big players who have a hand in the final result. There are fewer commercial big players in the Linux world, and it’s almost off the radar of the average consumer.
In Linux generally, the default security is much higher from the start. Naturally, this means Linux is a also a bit more difficult to use at first; the learning curve is steep. It’s all the more steep because the majority of humans who have used computers have used Windows first, and Linux is quite different in many ways. Plenty of people make the transition easily enough, but frankly the candidates for migration are self-selecting — the sort of people who tend to be dissatisfied with Windows, looking for something different. That something different, at least with Open Source, costs less in terms of wealth, and more in terms of effort. It is also generally more secure, though we could argue all day why and how. The primary difference which no one can dispute is the lack of catering to governments, corporations and criminals. It’s also not user-centric, but developer-centric, and Open Source developers are almost uniformly paranoid about computer security.
On top of this, I’ve noted already in yesterday’s post how using Linux compels the user to learn more, to take more responsibility, thus, changing the security habits. Again, it is the user’s ignorance which is his worst enemy, and Linux as an environment strengthens that weakest link. The broader community of Linux users seldom operate from the profit motive, at least not directly. Since the software itself is an open product, the money has to come from service and support. The primary reason this makes so much money is because there is a huge market of folks who want the security they perceive Linux offers without the learning. The primary big money in Linux is service and support, followed by books and education courses. But if you are willing to learn, you don’t have to pay, because the same information is already freely available, to any depth you wish to explore.
I notice that Linux is now more develop, user friendly especially about the interface. It is easier like using windows.
well said…