I don’t know where you got the notion from that Linux as a whole uses this concept, but it’s nonsense. There’s exactly one place where this definition fits, which is the GRUB bootloader encryption (which merely shifts the target for the Evil Maid attack from the initramfs to GRUB). But this is already adressed with Verified Boot.
Nothing else, let it be LUKS, PAM, SELinux, AppArmor or whatever has any business with STO.
That doesn’t make any sense as argument no matter how you spin it. Linux is the dominant system for servers for decades now, and a Debian Desktop is quite literally the same as Debian on a server except it also got a GUI of your choice slapped on top. There’s absolutely nothing obscure about it, neither did anyone from the kernel team (Linux), FSF (GNU utils) nor IBM / Red Hat (systemd & honestly way too much other stuff) etc. ever design something around STO. That’s a domain firmly situated in proprietary code since for FOSS it doesn’t make sense to begin with. The false errand of GRUB is the sole exception, well known and solved.
The desktop market share says absolutely nothing about what you’re trying to argue. Now if you were to argue that Linux is lacking in terms of desktop software isolation then you’d have a point, things like Flatpak still are addressing lots of issues. But to say “Linux” approaches security with obscurity is total nonsense.
There was never an actual notion of “security through obscurity”. LInux runs the complete Internet and most coporate server infrastructure. That’s where the actual money is.
People hallucinating that Linux is something obscure simply have no clue and confused their home desktop for real computing. Windows desktops are constantly targeted not because they are -unlike Linux- so wide-spread but because they are already insanely insecure. They are the low hanging fruit where you can cobble together some cheap shit and will still find million of PCs vulnerable. If you want to find a Linux comparison it’s definitely not server or desktops but cheap IoT devices not having seen an update (or any security to speak of) for many years.
For reference: We are talking about guests in a virtual pc escaping it’s container. That’s not something obcure. That’s basically all cloud hoster’s whole business model, thus the reason Google pays a lot of money for finding such exploits.
Windows desktops are targeted because any place you have a user, you have a vulnerability. The vast majority of Linux installs are servers with extremely limited user activity, which narrows the attack vectors significantly.
The selfhosted guys are correct with that. Of course its not a magic pill, but it can help to minimize the attack surface immensely with little effort.
Linux’s “security through obscurity” was never going to last.
Edit: it’s a common concept in hacking. Shorthand for a type of security through improbability.
I don’t know where you got the notion from that Linux as a whole uses this concept, but it’s nonsense. There’s exactly one place where this definition fits, which is the GRUB bootloader encryption (which merely shifts the target for the Evil Maid attack from the initramfs to GRUB). But this is already adressed with Verified Boot.
Nothing else, let it be LUKS, PAM, SELinux, AppArmor or whatever has any business with STO.
From the fact it used to have to smallest user base of the big three. Less users = less probability of a nefarious person.
It’s really not that difficult a concept. I’m surprised people here are asking what it is.
That doesn’t make any sense as argument no matter how you spin it. Linux is the dominant system for servers for decades now, and a Debian Desktop is quite literally the same as Debian on a server except it also got a GUI of your choice slapped on top. There’s absolutely nothing obscure about it, neither did anyone from the kernel team (Linux), FSF (GNU utils) nor IBM / Red Hat (systemd & honestly way too much other stuff) etc. ever design something around STO. That’s a domain firmly situated in proprietary code since for FOSS it doesn’t make sense to begin with. The false errand of GRUB is the sole exception, well known and solved.
The desktop market share says absolutely nothing about what you’re trying to argue. Now if you were to argue that Linux is lacking in terms of desktop software isolation then you’d have a point, things like Flatpak still are addressing lots of issues. But to say “Linux” approaches security with obscurity is total nonsense.
Security through obscurity in OSS lol
There was never an actual notion of “security through obscurity”. LInux runs the complete Internet and most coporate server infrastructure. That’s where the actual money is.
People hallucinating that Linux is something obscure simply have no clue and confused their home desktop for real computing. Windows desktops are constantly targeted not because they are -unlike Linux- so wide-spread but because they are already insanely insecure. They are the low hanging fruit where you can cobble together some cheap shit and will still find million of PCs vulnerable. If you want to find a Linux comparison it’s definitely not server or desktops but cheap IoT devices not having seen an update (or any security to speak of) for many years.
For reference: We are talking about guests in a virtual pc escaping it’s container. That’s not something obcure. That’s basically all cloud hoster’s whole business model, thus the reason Google pays a lot of money for finding such exploits.
You could have just said that you don’t know what “security through obscurity” is.
Windows desktops are targeted because any place you have a user, you have a vulnerability. The vast majority of Linux installs are servers with extremely limited user activity, which narrows the attack vectors significantly.
In any system, the human is usually the weakest link.
The self-hosted crowd thinks reverse proxies protect you from the Internet. Don’t expect too much of them.
You are right about that a reverse proxy does not protect. But I can not relate that with security through obscurity.
The selfhosted guys are correct with that. Of course its not a magic pill, but it can help to minimize the attack surface immensely with little effort.
Security through what now?
Well, I guess it is obscure… Though only because the number of people who have a full grasp on how the code works is highly limited.