People are usually the weakest link in security and I agree with you that you can't simply lock a system down completely. There's always a trade-off between security & usability of the system following the CIA triad of information security of course.
Well done DJ, indeed important video here, and totally true, no OS's is secure out of the box, is user/admin whom can do that to the level allowed to do his work.
Another video that's made me think. So after watching, and liking this video, I believe I'm understanding your points. I've worked in Windows shops now for about 10 years...and have been running Linux on my main personal boxes for about 4 years. I've seen Security issues with both as you've mentioned. This video ties all that I've experienced into a nice package...and makes me think you're entirely correct. One of the worst enviros I've seen was where there was a multi-tree'd AD workspace with GP that was ridiculous: tight in policy that makes you scratch your head-what were they trying to prevent happening...and loose to the point of being non-existent where tight GP was needed...plus the users were all in Health Care-non-technical to a fault sometimes. The only one of your three mantra's that were properly addressed was the Software providing endpoint protection: they paid for the best AV/AM on the market IMO. Having said all this... I think DJ that you should do a follow up on this video with what you think is the best OS/Policy/Endpoint Protection combo on the market right now... thanks! :)
Great job! I have been using Linux for several years however, I need Windows specifically for maintaining a software database for genealogy that is not yet available on Linux.
There are several security inbuilt modules for Win10 touching the areas you mentioned in your video. I don't want polemize how effective these solutions are, but it's quite interesting that MS keeps them all off by default for a fresh desktop install, and it's rather well hidden for an average user: - Core isolation (Hyper-V based memory integrity protection) - Controlled folder access (Ransomware protection) - Isolated browsing - Tamper protection (security options account lock) Still I think, and I'm not here to represent MS, if you consider Win10 primarily designed as a client OS (and not a stand-alone desktop OS like Linux distros) and it's huge marketshare, it's not doing bad at all. Linux desktop hasn't got any experience as a massive target for various attacks, plus the distro-fragmentation factor bringing up the problem with so many improperly cured distros and their repositories - If things changed over night and Linux desktop and Win swapped their marketshare positions, I guess Linux desktop would suffer a terrible strike...
Gatekeeper on macOS prevents you from running apps not from identified developers (code signing). You can circumvent that by right clicking and choosing open, but your average user probably doesn’t know that. And even then apps can be quarantined and you will get a notice that they are damaged. macOS also throws up a lot of prompts asking if you want to install something, and requiring your admin password. No OS is 100% safe, but in the 30 or so years I’ve been running macOS I only once got a virus… back in System 7.5 from a commercial software install disk.
Very well put together report and it is appreciated....working as a computer technician mostly with Windows based computers will state quite openly...Windows 10 is the worst crap ever and you will not change my mind on that...4 years and it is still crap! Thanks again for this video...
Permit me to address a couple of issues here, and ranking OS safety generally. One, is the Rain Man syndrome, where he insisted on flying Australia's Quantus airlines because they had no crashes. (I believe they have had some since that movie can out) The point being that if you're small and specialized enough, you may seem safer than is really the case. or someone here brought up PS4, (PlayStation I assume). That's what I mean. OK... Then there's people who will bring up NSA and various govts and Interpol spying on them, and how secure any OS is against them: others' target safety against individuals and small criminal groups only; maybe that's equally short-sighted, considering how governments and hackers in places like Russia seem to work. Finally, yes, computers permanently air-gapped are the only "safe" systems. But that old chestnut has limited value. It's good for keeping one's feet on the ground, but doesn't provide much beyond that. So... One distro I avoid is Kali, even for it's intended purpose. They only recently required giving root a password (other than the default toor) and something less than unlimited access. And Kali as a Windows Linux subsystem? I don't understand that, unless it's the biggest honeypot for script kiddies ever conceived!
Dj I read recently 2021 a new pegasus iphone exploit was implemented without the interaction of the target. Someone in someday is going to have the keys anyway and we cant do anything or what do you think?
Misconfigurations are much more common and dangerous. Windows used to have a configuration analyzer but they got rid of it. Lynis does an ok job for Unix systems. Blindly STIGing a Windows system introduces vulnerabilities for stand-alone systems. Kind of like when criminals operate within the law and destroying evidence.
DJ, thanks for the great video. Tell me this tho--if Windows is as secure as Linux, why are tech giants like Google almost always running Linux for the data/email servers, and why does every single High Performance computing center in the country use Linux? BTW I'm not trying to be a smart-ass, I'm actually interested. My previous impression was Linux was more secure, great video...Jim (Hazel's other half)
A good question Hazel I do not know what Google uses Linux exclusively but I can tell you why the Air Force wont use WIndows as a server, it costs too much to hardens vs Linux.
Please, if you`re looking "normal" desktop distro(not these "private livedistros ) then you have only one to pick: OpenBSD... OpenBSD at least have some muscles to show as it was released in 2004 and main emphasize in OpenBSD is proactive security and integrated cryptography...
@@trtrhr one minute Google search and you would known that openBSD is build up for security... From randomized kennel to whole hardened OS. Or are you just talking about apps? You know you get to build same apps that Linux has?
As with all things it depends on how you define secure. But more importantly what you are trying to secure (this would include the type of data as well). What is the risk if the system is compromised? ) Sorry its just not an easy question to answer. Even the "security oriented" distros like Tails and Qubes have long sections of their manuals dedicated to the topic of security and more importantly keeping them secure.
@@CyberGizmo You are absolutely correct of course. But I had in mind questions like "telemetry" with rumors pointing towards Ubuntu. Also which distros are leaving ports open. I understand that Mint has closed some that Ubuntu has left open. Just basic hardening questions that would reflect on the competency and diligence of the "distro team". I think security education is really the biggest challenge for those, like myself ( a professional mathematician) who would like to go from the beginner to intermediate stage in UNIX. Your efforts are truly appreciated. But I'm new to your channel. Got to catch up a bit.
hahaha, I actually still have one, was a hand me down from my aunt, but I am just saying its getting harder to predict the future, because of the drag the large companies are throttling advancement with their old worn out ideas
While it may not be factual?...I'm gonna go off of "personal experience"...but first? Understand: I've been in the IT field since '99...and I now work for Amazon (IT Department) so I know my way around an operating system. I have worked with and used Windows....since it's "Win'95" days...and I have seen nothing that makes me think its "more secure" than the other two. Period. I guess because its got the biggest "footprint" in regards to overall usage globally?..then yeah...its gonna have the biggest "target" on its back..so it makes sense it would be the OS that gets "hit" the most with viruses, malware, Trojans etc. This does not make it more secure...it makes it a bigger target than the other two..and hence less "safe". I have used MacOS....from it's Lion/Leopard/Jaguar days, and while its seems to be more secure than Windows...(which I credit to the BSD kernel) like DJ says?...certain apps are not as "protected" as you might think...Chrome...etc. Its nice...pretty, and functional?...but because it literally locks you into their ecosystem? Its a no go for me. Not to mention their hardware seems to be overpriced and mediocre. But it has its staunch supporters nonetheless. Have used Linux since 2002, and here's what's funny, I happen to be a techie...I live going to all kinds of websites and doing all manner of reading, and clicking on links that lead to other links etc. And to date?....on the Lenovo ThinkPad T-410 and the T-420 laptops that I have...from their respective years...and which run Fedora and OpenSuSE Linux?...I have NEVER gotten an infection, had a blue screen (of course since it ain't Windows!) or suffered any type of catastrophic event happen to either one of them...since 2011/2012!....(when those laptop were made...) so while there might not be any "factual" evidence that Linux is more secure than Windows or MacOS?....mt personal experience (at least to ME) says it is....and in the end?...that's all that matters. And yeah...I will agree with this last point. The most "secure" system?...is the one where the end user, the sys admins..and the OS are all on the same page when it comes to avoiding breaches, and compromising the network. Cheers!
Though I haven't used a Chromebook in a couple of years, but they have the cheapest laptops by far, to the extent they have totally replaced "netbooks". Consumers have to go to "used" for Windows laptops that compete price wise, and not even second-hand Macs match Chromebooks on the low end. Clearly you don't have teenagers, or more specifically non-CS-major college students at home. For those who aren't trying to scam a gaming rig in the name of study "necessities", Chromebooks are where it's at! Although I know Google has some products that try reaching upward, I think out of embarrassment because they're programmers were buying Mac's. Maybe those fit your description.
Very interesting review and conclusion. I think however that it was very simplified since, for example it was only looking at Linux kernel vs Windows 10 (whole operating system, not just the kernel). That's a little unfair. And regarding macOS it only scratched the surface of what Apple is providing. In general terms, in my opinion, Apple has an edge because of "control reach". Apple creates their own devices, and in general has fewer drivers and models to deal with. This, combined with a true UNIX architecture, and advances in hardware like the T2 chips gives them an edge. Apple also hates to support older hardware and this again simplifies things a lot. Linux and Windows, have to deal with too many configurations, hardware and modes to make them effective. And Linux in particular, does not like to stop obsolete systems support.
Thanks for the comment, Deblue, ,perhaps, but I was only comparing the kernel features of both, however during the comparison of vulnerabilities I did not include MacOS in that comparison, I might add that to a future video. Also I was comparing Debian with Windows 10 since the article that spawned this whole response was due to someone saying Windows is more secure and them compared the number of vulnerabilities...Here is what I would say in regards to the T2 chip...no technology is secure...and eventually I predict a flaw will be discovered in it where it can be circumvented...after all it has to be turned off to allow MacOS to run...and if that is possible then it can be turned off by another app as well. Not sure what you mean by Linux does not like to stop obsolete system support though.
I didn't have time to make it all the way through the video. I can say from having run a computer repair shop for the last 15 years what I've seen in the real world. 1. Every single Windows machine that has come to me (thousands) have all been infected with something. Also all of them were running some kind of AV/AM (anti-virus/Anti-malware) software. 2. I have only seen two Mac infections ever and they were browser hijackers (easily removed in less than 2 mins) Not really true infections. 3. I have never seen or heard of a single infected Linux machine....ever. MacOS is a hell of a lot more secure than Windows in the real world and Linux is just as secure. No anti-virus/Anti-malware needed.
FreeBSD (or the less popular OpenBSD) are the most secure OS's out there. No need to waste 30min of your life watching this video. Lots and lots of talk but in the end ... it does miss the elephant in the room.
That misses the point he was making. No OS is "secure", they all have strengths and weaknesses some better than others in particular applications. Security is a matter or risk mitigation, not risk avoidance. Security policies are only as good as the people who implement them.
It would change over time. However, right now, my answer would be Red Hat, as in a paid for Linux server solution bought from Red Hat _(which is then used as a server but also for home web browsing etc)._ You have a dude you can call up and they fix things. Would it be overspecified for some things? Probably. But if it had to be the security question, it is my current answer. Also Gallium3D in KVM Spice is worthwhile. My comment has no hate in it and I do no harm. I am not appalled or afraid, boasting or envying or complaining... Just saying. Psalms23: Giving thanks and praise to the Lord and peace and love. Also, I'd say Matthew6.
People are usually the weakest link in security and I agree with you that you can't simply lock a system down completely. There's always a trade-off between security & usability of the system following the CIA triad of information security of course.
Indeed and so true.
Well done DJ, indeed important video here, and totally true, no OS's is secure out of the box, is user/admin whom can do that to the level allowed to do his work.
Another video that's made me think. So after watching, and liking this video, I believe I'm understanding your points. I've worked in Windows shops now for about 10 years...and have been running Linux on my main personal boxes for about 4 years. I've seen Security issues with both as you've mentioned. This video ties all that I've experienced into a nice package...and makes me think you're entirely correct. One of the worst enviros I've seen was where there was a multi-tree'd AD workspace with GP that was ridiculous: tight in policy that makes you scratch your head-what were they trying to prevent happening...and loose to the point of being non-existent where tight GP was needed...plus the users were all in Health Care-non-technical to a fault sometimes. The only one of your three mantra's that were properly addressed was the Software providing endpoint protection: they paid for the best AV/AM on the market IMO. Having said all this... I think DJ that you should do a follow up on this video with what you think is the best OS/Policy/Endpoint Protection combo on the market right now... thanks! :)
Great job! I have been using Linux for several years however, I need Windows specifically for maintaining a software database for genealogy that is not yet available on Linux.
Really interesting video! Thanks DJ Ware.
Thanks Khaidir
A very respectable episode. Thanks for sharing! You definitely earned another subscriber.
Thank M R and welcome to the channel
There are several security inbuilt modules for Win10 touching the areas you mentioned in your video. I don't want polemize how effective these solutions are, but it's quite interesting that MS keeps them all off by default for a fresh desktop install, and it's rather well hidden for an average user:
- Core isolation (Hyper-V based memory integrity protection)
- Controlled folder access (Ransomware protection)
- Isolated browsing
- Tamper protection (security options account lock)
Still I think, and I'm not here to represent MS, if you consider Win10 primarily designed as a client OS (and not a stand-alone desktop OS like Linux distros) and it's huge marketshare, it's not doing bad at all. Linux desktop hasn't got any experience as a massive target for various attacks, plus the distro-fragmentation factor bringing up the problem with so many improperly cured distros and their repositories - If things changed over night and Linux desktop and Win swapped their marketshare positions, I guess Linux desktop would suffer a terrible strike...
Great video, gives me a different perspective.
Really interesting video. keep up the amazing work.
TRG, Thank you !
Gatekeeper on macOS prevents you from running apps not from identified developers (code signing). You can circumvent that by right clicking and choosing open, but your average user probably doesn’t know that. And even then apps can be quarantined and you will get a notice that they are damaged. macOS also throws up a lot of prompts asking if you want to install something, and requiring your admin password.
No OS is 100% safe, but in the 30 or so years I’ve been running macOS I only once got a virus… back in System 7.5 from a commercial software install disk.
Happy subscriber to you channel man solid answers!
Welcome to the channel J D, and glad you enjoyed the video
Very well put together report and it is appreciated....working as a computer technician mostly with Windows based computers will state quite openly...Windows 10 is the worst crap ever and you will not change my mind on that...4 years and it is still crap! Thanks again for this video...
Martyn Page, sounds like a possible video "What's the worlds crappiest OS, LOL". Thanks for the comment
Here is a link to a thread I started back in 2015 on MSFN msfn.org/board/topic/174896-official-windows-10-worst-crap-ever/...
Permit me to address a couple of issues here, and ranking OS safety generally. One, is the Rain Man syndrome, where he insisted on flying Australia's Quantus airlines because they had no crashes. (I believe they have had some since that movie can out) The point being that if you're small and specialized enough, you may seem safer than is really the case. or someone here brought up PS4, (PlayStation I assume). That's what I mean. OK... Then there's people who will bring up NSA and various govts and Interpol spying on them, and how secure any OS is against them: others' target safety against individuals and small criminal groups only; maybe that's equally short-sighted, considering how governments and hackers in places like Russia seem to work. Finally, yes, computers permanently air-gapped are the only "safe" systems. But that old chestnut has limited value. It's good for keeping one's feet on the ground, but doesn't provide much beyond that. So... One distro I avoid is Kali, even for it's intended purpose. They only recently required giving root a password (other than the default toor) and something less than unlimited access. And Kali as a Windows Linux subsystem? I don't understand that, unless it's the biggest honeypot for script kiddies ever conceived!
But which one you would recommend to use, in now a days.. still confused ..🙄
Dj I read recently 2021 a new pegasus iphone exploit was implemented without the interaction of the target. Someone in someday is going to have the keys anyway and we cant do anything or what do you think?
Hi Pedro, that answer will take a video to provide it, so today I am going to do just that.
@@CyberGizmo Wonderful !!!, Thank you DJ
Misconfigurations are much more common and dangerous. Windows used to have a configuration analyzer but they got rid of it. Lynis does an ok job for Unix systems. Blindly STIGing a Windows system introduces vulnerabilities for stand-alone systems. Kind of like when criminals operate within the law and destroying evidence.
that person must be kidding .... right?
DJ, thanks for the great video. Tell me this tho--if Windows is as secure as Linux, why are tech giants like Google almost always running Linux for the data/email servers, and why does every single High Performance computing center in the country use Linux? BTW I'm not trying to be a smart-ass, I'm actually interested. My previous impression was Linux was more secure, great video...Jim (Hazel's other half)
A good question Hazel I do not know what Google uses Linux exclusively but I can tell you why the Air Force wont use WIndows as a server, it costs too much to hardens vs Linux.
The most secure pc is the one with no Intel or amd cause they all have a back door in them so you need a completely different chip
Please, if you`re looking "normal" desktop distro(not these "private livedistros ) then you have only one to pick: OpenBSD...
OpenBSD at least have some muscles to show as it was released in 2004 and main emphasize in OpenBSD is proactive security and integrated cryptography...
@@trtrhr one minute Google search and you would known that openBSD is build up for security...
From randomized kennel to whole hardened OS.
Or are you just talking about apps?
You know you get to build same apps that Linux has?
i have used windows linux apple and one that was an assembly os the assembly was too hard just my opinion i agree with you
Which linux distro is the most secure? Avoiding those that are "eccentric" like Qubes.
As with all things it depends on how you define secure. But more importantly what you are trying to secure (this would include the type of data as well). What is the risk if the system is compromised? ) Sorry its just not an easy question to answer. Even the "security oriented" distros like Tails and Qubes have long sections of their manuals dedicated to the topic of security and more importantly keeping them secure.
@@CyberGizmo You are absolutely correct of course. But I had in mind questions like "telemetry" with rumors pointing towards Ubuntu. Also which distros are leaving ports open. I understand that Mint has closed some that Ubuntu has left open. Just basic hardening questions that would reflect on the competency and diligence of the "distro team". I think security education is really the biggest challenge for those, like myself ( a professional mathematician) who would like to go from the beginner to intermediate stage in UNIX. Your efforts are truly appreciated. But I'm new to your channel. Got to catch up a bit.
How? How did you broke your cristal ball? And why?
hahaha, I actually still have one, was a hand me down from my aunt, but I am just saying its getting harder to predict the future, because of the drag the large companies are throttling advancement with their old worn out ideas
While it may not be factual?...I'm gonna go off of "personal experience"...but first? Understand:
I've been in the IT field since '99...and I now work for Amazon (IT Department) so I know my way around an operating system. I have worked with and used Windows....since it's "Win'95" days...and I have seen nothing that makes me think its "more secure" than the other two. Period. I guess because its got the biggest "footprint" in regards to overall usage globally?..then yeah...its gonna have the biggest "target" on its back..so it makes sense it would be the OS that gets "hit" the most with viruses, malware, Trojans etc. This does not make it more secure...it makes it a bigger target than the other two..and hence less "safe".
I have used MacOS....from it's Lion/Leopard/Jaguar days, and while its seems to be more secure than Windows...(which I credit to the BSD kernel) like DJ says?...certain apps are not as "protected" as you might think...Chrome...etc. Its nice...pretty, and functional?...but because it literally locks you into their ecosystem? Its a no go for me. Not to mention their hardware seems to be overpriced and mediocre. But it has its staunch supporters nonetheless.
Have used Linux since 2002, and here's what's funny, I happen to be a techie...I live going to all kinds of websites and doing all manner of reading, and clicking on links that lead to other links etc. And to date?....on the Lenovo ThinkPad T-410 and the T-420 laptops that I have...from their respective years...and which run Fedora and OpenSuSE Linux?...I have NEVER gotten an infection, had a blue screen (of course since it ain't Windows!) or suffered any type of catastrophic event happen to either one of them...since 2011/2012!....(when those laptop were made...) so while there might not be any "factual" evidence that Linux is more secure than Windows or MacOS?....mt personal experience (at least to ME) says it is....and in the end?...that's all that matters.
And yeah...I will agree with this last point. The most "secure" system?...is the one where the end user, the sys admins..and the OS are all on the same page when it comes to avoiding breaches, and compromising the network.
Cheers!
Thanks Eddie for Sharing that experience and Cheers to you as well!
Though I haven't used a Chromebook in a couple of years, but they have the cheapest laptops by far, to the extent they have totally replaced "netbooks". Consumers have to go to "used" for Windows laptops that compete price wise, and not even second-hand Macs match Chromebooks on the low end. Clearly you don't have teenagers, or more specifically non-CS-major college students at home. For those who aren't trying to scam a gaming rig in the name of study "necessities", Chromebooks are where it's at! Although I know Google has some products that try reaching upward, I think out of embarrassment because they're programmers were buying Mac's. Maybe those fit your description.
2 years after the fact and I just wanted to say... GrapheneOS.
I would love to hear Don's take on Graphene os and Redox os.
@@lale5767 Redox is a hella interesting project.
ممنون از شما استاد عزیز
Very interesting review and conclusion.
I think however that it was very simplified since, for example it was only looking at Linux kernel vs Windows 10 (whole operating system, not just the kernel). That's a little unfair. And regarding macOS it only scratched the surface of what Apple is providing.
In general terms, in my opinion, Apple has an edge because of "control reach". Apple creates their own devices, and in general has fewer drivers and models to deal with. This, combined with a true UNIX architecture, and advances in hardware like the T2 chips gives them an edge. Apple also hates to support older hardware and this again simplifies things a lot. Linux and Windows, have to deal with too many configurations, hardware and modes to make them effective. And Linux in particular, does not like to stop obsolete systems support.
Thanks for the comment, Deblue, ,perhaps, but I was only comparing the kernel features of both, however during the comparison of vulnerabilities I did not include MacOS in that comparison, I might add that to a future video. Also I was comparing Debian with Windows 10 since the article that spawned this whole response was due to someone saying Windows is more secure and them compared the number of vulnerabilities...Here is what I would say in regards to the T2 chip...no technology is secure...and eventually I predict a flaw will be discovered in it where it can be circumvented...after all it has to be turned off to allow MacOS to run...and if that is possible then it can be turned off by another app as well. Not sure what you mean by Linux does not like to stop obsolete system support though.
Temple os. But of course there is no networking lol
lol, yep that would make it air gap'd :)
It's networked by the Holy Spirit, Heathen!
When you do analytics like that, ti's hard to disagree!
Thanks Rafael appreciate the kind comment
I didn't have time to make it all the way through the video. I can say from having run a computer repair shop for the last 15 years what I've seen in the real world.
1. Every single Windows machine that has come to me (thousands) have all been infected with something. Also all of them were running some kind of AV/AM (anti-virus/Anti-malware) software.
2. I have only seen two Mac infections ever and they were browser hijackers (easily removed in less than 2 mins) Not really true infections.
3. I have never seen or heard of a single infected Linux machine....ever.
MacOS is a hell of a lot more secure than Windows in the real world and Linux is just as secure. No anti-virus/Anti-malware needed.
@PorssiMies Plot twist...you never connected to the internet. Or you are just liar.
KERNAL has everything beat for network security.
Where is FreeBSD
OpenBSD is the most secure
OpenBSD
how in the fuck is it not even mentioned?
FreeBSD (or the less popular OpenBSD) are the most secure OS's out there. No need to waste 30min of your life watching this video. Lots and lots of talk but in the end ... it does miss the elephant in the room.
That misses the point he was making. No OS is "secure", they all have strengths and weaknesses some better than others in particular applications. Security is a matter or risk mitigation, not risk avoidance. Security policies are only as good as the people who implement them.
It would change over time. However, right now, my answer would be Red Hat, as in a paid for Linux server solution bought from Red Hat _(which is then used as a server but also for home web browsing etc)._ You have a dude you can call up and they fix things. Would it be overspecified for some things? Probably. But if it had to be the security question, it is my current answer. Also Gallium3D in KVM Spice is worthwhile.
My comment has no hate in it and I do no harm. I am not appalled or afraid, boasting or envying or complaining... Just saying. Psalms23: Giving thanks and praise to the Lord and peace and love. Also, I'd say Matthew6.
32 minutes for "none of them" are secure. That could have been put in the title. "Most secure" is inappropriate titling.