Hi there,
Win10 is soon not supported. Tbh Linux have been on my radar since I started to break from the US big tech.
But how is security handled in Linux? Linux is pretty open-source, or am I not understanding it correctly. So how can I as a new user make sure to have the most secure machine as possible?
Microsoft being closed source hides their bugs and vulnerabilities. Even when security researchers have sent in reports MS has sat on them due to profit being motive not security, and not taking vulners seriously until the researchers say screw that and publish it.
Linux being open can have all eyes on it, and if there is an exploit, there is a community willing to help ASAP.
On many distros you may have weekly or even daily updates or patches coming through with fixes. A distro like OpenSUSE has various patch and list patch commands that show what security patches are avilailable, their status (critical, recommended) and if it’s needed on your system or not depending on what you have installed. You don’t get transparency on closed source systems.
If you are paranoid about security you can use AppArmor tools or SELinux. AppArmor can be set to learn his an app behaves, then you lock it so the app can’t do new things.
SELinux you set rules for files and folders, so even with remote access an attacker can’t access data if rules don’t allow file listing over SSH etc
When my kids were in their teens they had windows machines.
They had windows machines, because all their friends had windows machines.
you know what kids are like, click on every thing. oblivious to danger.
malware, viruses, the lot. of course, good old idiot dad had to sort it out. spending hours running anti-virus programs and malwarebytes etc
I got really annoyed one day and while they were at school. I totally removed windows and installed linux mint xfce on both their machines.
Set everything up for them exactly how I used my linux machine.
Once they were online, had their web browser open, found they could login in to all the things they liked and still enage with their friends.
I never heard a peep from them. no more anti-virus scans or malware.
It was heaven.
Ive used Linux for 20 years and never had a virus.
Most of the security is in the kernel so you can make sure you have the latest kernel. Also secureblue is a security focused distro that makes use of GrapeneOS’s hardened malloc so that’s the most secure one that I’m aware of.
I’ve used Linux Mint and other distros daily for more than 10 years. Never had a virus or malware issue and don’t even run antivirus software.
During that same time I’ve had to help friends remove viruses and malware from their Windows machines dozens of times. The latest Windows disaster I’ve assisted with was a few months ago. A retired friend had her Windows 10 machine hijacked and $8K stolen from her savings account. Making sure the malware was removed required hours of work formatting the drive and reinstalling Windows.
IMO you are far safer with a plain vanilla Linux install that you are with Windows, no matter what steps you take to secure your Windows installation.
You sure though? Windows has more viruses because it’s more popular (desktop) and monolithic, not because Linux is much better in that regard. IOW Linux is not magically virus peertube. If you run an infected file, it will infect both without much trouble. Also removing infection would be similar. At least that’s my understanding.
I just want to say that you’re probably worrying too much about it. Of course, there is lots of things one can do to improve security (which the others here are listing dutifully) and it is foolish to just assume that one’s computer is entirely secure, because as a user, you will always have the ability to bypass that.
But there’s a pretty firm consensus in the IT industry that Linux is more secure than Windows. And that the popular Linux distributions are more trustworthy organizations than Microsoft.
So, it’s good to inform yourself, but if you survived on Windows, you at least should not worry about the Linux side of things. It’s more than fine.
Security is an insanely broad topic. As an average desktop user, keep your system up to date, and don’t run random programs from untrusted sources (most of the internet). This will cover almost everyones needs. For laptops, I’d recommend enabling drive encryption during installation, though note that data recovery is harder with it enabled.
That is good advice, however sadly a lot of install scripts are basically: download this script from us, and pipe it to a root shell.
i personally wouldn’t recommend encrypted drive for a beginner though
Windows has a lot of shit to second guess the user. Linux doesn’t. Linux doesn’t babysit you. It has some guardrails but the general idea with Linux is it’s your computer, it will do what you tell it do, even if it’s a bad idea. This makes things lighter, faster, more private, but it has also led to security incidents.
Windows and Mac will watch what you are doing. If they see something suspicious, the security software can jump in and telemetry means they can notice patterns as new malware appears on their users machines. This makes the machines slower and heavier and less private, but also easier for users to deal with because they doesn’t have to actually know anything. They can just buy their way out of a problem with superdupertotallaylegitantivirus2025pro.
Anyone who says Linux doesn’t get viruses is lying to you. It does. They all do. But it’s not that common because Linux is a smaller market share so most nefarious people won’t waste their time on a smaller target unless there is something that specific target has they want. So old people using fedora kinoite to access email and facebook are fine, but Pete Hegseth watching ignoring security practices and visiting shady sites is probably a worthwhile target and could be vulnerable.
Linux has major advantageous over the industry approach of “we know best” but it also has disadvantageous. If you are the kind of person who wants to learn and improve and grow, Linux could work for you. If you are more the irresponsible buy-someone-else’s-solution-to-my-problems type, it’s not.
As others have said, Linux Security is a very broad topic. But the main thing is keeping your system updated, only install packages from your distro’s repositories, install a firewall and don’t install anything you don’t need should go a long way :)
For example, i use Alpine Linux as a desktop OS. This means i only install packages through apk, from the Alpine repositories. I run apk update and apk upgrade commands every friday. I use Flathub for most desktop software which i also update weekly. (To be even more secure, only install verified flatpak’s). my firewall has no incoming ports open (really not needed on my desktop). And i keep myself updated with the latest news regarding Alpine Linux, and Linux in general. So i am aware of most vulnerabilities as they are published. This is a pretty secure system.
Later on if you want even more security you can start following the CIS guidelines for your favorite distro, but the above should be a good start.
But good security is not just jeeping your system updated, it also means you have good backups in place, in case randsomware hits your system. And then there’s also the monitoring of your system for suspicious behaviour :) But these are far more advanced topics!
Great to hear you’re willing to move to Linux!
Like other comments pointed, there is no such thing as “most secure”. It’s a deep rabbit hole and it’s better in general to assume that any device connected to the internet is at risk. Hell, any storage can be compromised if the entity interested put enough effort into it.
I recommande reading the page on Privacy Guides, it gives a good overview. In general, you should consider your thread model: what is you situation and why do you want security or privacy for?
- Regarding security, I would say for a general case, any modern, popular Linux distro with full disk encryption is probably good enough and as secure as any other OS. I would recommande going with a Fedora Silverblue or an OpenSUSE Tumbleweed, but the more popular Ubuntu or Mint are great as well for new users.
- If you also want “good enough” privacy, you should focus more on the software you are running, and the situation of your data, especially in your usage of your web browser. But that’s a different topic entirely.
- If you actually want more advanced security though, that’s where it becomes difficult/fun. You need to consider what you are trying to protect yourself from, specifically. Virus? Maybe a compartmentized OS like Qubes might be a solution. Physical access to your device? You can get a dead man switch that kills you system disk if your laptop is taken away from you. You want to hide your OS install from a security inspection? You can set a deniable full disk encryption with a facade OS that protect your from a rubber hose attack. Probably many other things exist I am not aware of.
But anyway, if your question is “Is a Linux distro at least as secure as my previous Windows”, the answer is definitely YES imo. And if you want MOAR, it’s gonna be a fun ride!
[edit: and yes, updates! Update you system plz.]
One of the tips I’d give is the same for Windows, the best anti-virus is the user to know what he/she is doing. Linux is a better in that regard because it obfuscates very little, unlike Windows.
Also in line with viruses, given how many variants of a base system there can be, unless the virus is compiled in your machine, to my knowledge chances are higher for a virus to fail to function properly, or even at all. A way for a coder to circumvent it would be to bloat the code with system-specific instructions, which would be harder to create and optimize, but if a big enough group in resources take on the challenge, it could potentially be achieved.
On another point, something I expect to become a problem in Linux is that you need the admin’s password, which is pretty much the master key of the system, for way too many things, even to install a web browser or the equivalent of 7-Zip. With scams usually involving social engineering, having the user hand a key from a system that depends mainly on it makes the system far more vulnerable.
Now, given Windows is still the bigger desktop system, scammers and virus distribution still focus on it, but as Linux grows, more ill-intended people may focus on it.
But still, Windows has far less variants, barely anything there uses passwords or more adninistration-oriented safelocks, and is much worse for troubleshooting (and having used most systems from 98FE onward, I also think it’s getting worse), so I’d say Linux still has the advantages in those points I could think of.
Also in line with viruses, given how many variants of a base system there can be, unless the virus is compiled in your machine, to my knowledge chances are higher for a virus to fail to function properly, or even at all.
Cross-platform malware does exist, and one of the most common and practical forms is malicious browser extensions. A harmful Chrome or Firefox add-on can function just as effectively on Linux as it does on Windows.
On another point, something I expect to become a problem in Linux is that you need the admin’s password, which is pretty much the master key of the system, for way too many things, even to install a web browser or the equivalent of 7-Zip. With scams usually involving social engineering, having the user hand a key from a system that depends mainly on it makes the system far more vulnerable.
Multiple types of dangerous malware can run on Linux without requiring root privileges. As previously mentioned, malicious browser extensions pose a significant threat. Harmful actions like deleting files or logging keystrokes can also be carried out using a Python script that doesn’t need root access.
Linux is undoubtedly more secure than Windows for a variety of reasons, but Linux users should still remain cautious. No system is completely invulnerable.
What do you mean most secure? Because that is a very broad thing.
Since I was referring to win10 losing support I thought it was understood that I asked about security updates like windows does. Pardon me. But to specify, how is the ongoing security updates working on Linux? Who does it? Is it even being done? It is an assumption on my side that the security is done in the same manner like win and mac, with continuous updates but that might as well be a wrong assumption.
It depends on how you installed it.
If you installed something via apt on a Debian based system then Debian will track the projects and push updates when the are available. If you are doing things with Snap or Flatpack then the developers of those specific applications will have some form of update plan.
Ah okay… I am kinda new in the lingo so sorry if I butcher some of it.
So it is the developers of the distros who are pushing updates?
I know you can never trust companies like Microsoft, but they are a bit more regulated by laws as they are big corps… How can you trust a distro enough to e.g. use online banking ?
I think the ethos of open source flips this thinking. You should not trust. Microsoft may not be noting down your banking details, but you actually don’t and can’t know if it is. What it is doing is storing other personal data, because that is in its policies. Now, to what extent it takes advantage of this capability and permission, it is again unknown and unknowable.
Microsoft may be a big corp, but some distros are the backbone of highly critical systems, and collectively they run the vast majority of servers.
You don’t “trust” your distro. Or your laws. Everything being done is in the open, so you can see for yourself. If you lack the knowledge to do that, there are others who are doing it and many are sharing what they find. You will “trust” on some level, because of its reputation, how established it is, but trust here means something very different from letting a huge blob of unknown code do whatever it does because I trust you.
This is actually what I am a bit afraid of. Im danish and Denmark is becoming way to digital in the sense where we use digital ID to access banking and other systems which needs you to be identified (tax, healthcare etc).
The open source stuff is a bit daunting when you actually don’t know shit like me.
But as you say, Microsoft might not be better.
Honestly, Microsoft is one of the most active participants in the shitty fascist dystopian surveillance shitshow in the us right now. It’s not that it “might not be better”, they are literally one of the worst.
Open source doesn’t work on trust, it works on scrutiny. Which is much easier to do when everything is open and therefore auditable. The threat model is very different, and the mitigation process is much faster since thousands of companies, including the biggest ones, need a secure Linux to run all their servers.
Open source software security issues comme mainly from :
- plain old bugs like everything else
- supply chain attacks (Example), which are actually very difficult to pull off since they tend to actually fail because of said scrutiny
What open source software won’t do because doing so would immediately kill a project:
- deliberate backdoors “for law enforcement” like most commercial platforms
- invasive telemetry/spyware
- Microsoft Recall that literally records and stores indefinitely absolutely every single interaction you have with your computer
- basically everything that’s deliberately harmful to privacy and/or security
- enshittification to maximize profit since there is basically no financial incentive and no venture capitalist behind distros
If you’re trying to avoid forced telemetry and similar tracking, you’re generally safer with most of the big Linux distros. Most of them don’t collect data at all, and if they do, it’s usually easy to opt out with just a click.
Going for lesser-known distros does increase your risk a bit, but the fact that they’re open source helps deter some bad actors, since the code can be inspected by others.
And if you’re worried about super-sophisticated backdoors, keep in mind you’re not exactly safe with Microsoft either. A rogue employee could still cause harm, and because it’s closed source, any malicious changes might take way longer to catch.
That’s an interesting question. It’s pretty nuanced. I don’t know of any laws that would stop Microsoft from going “oops, we had a bug in our software, sorry about that”. Same for the linux distros. Unless you’re a corporate customer, then that would be included as part of some contract. So at the end of the day you trust Microsoft’s reputation. You’d trust your distro of choice as well. So as a thought experiment I would suggest that the most secure operating system provider is the one that ships a very similar version of its OS to both end-users and enterprise customers. Some Linux distributions fall into that category, some definitely not.
Also, keep in mind that some distros are run mostly by individual contributors not employed by any knowingly reputable company, so I’d stay away from those by default.
You’re going to need to be more specific. There are dozens of aspects of security.
But if you want to have the most secure machine, then never turn it on, encase it in lead, and drop it at the bottom of the ocean.
Since I was referring to win10 losing support I thought it was understood that I asked about security updates like windows does. But to specify, how is the ongoing security updates working on Linux? Who does it? Is it even being done? It is an assumption on my side that the security is done in the same manner like win and mac, with continuous updates but that might as well be a wrong assumption.
Security updates are provided by each package maintainer and released on their own schedule. Microsoft releases updates monthly on Patch Tuesday, unless there’s a severe vulnerability that can’t wait. But since Linux is a bunch of different packages rolled into a distro, there’s no one authority managing updates.
So, this means you might get them faster, or if a maintainer is not engaged, slower. Or, if a package is abandoned, not at all. Distros generally make sure their provided packages are maintained, but updates to third-party packages are not guaranteed.
it’s similar. in a mainstream distribution with a desktop environment, updates can typically be configured to notify you or install automatically. it’s common for those updates to now also include third-party sources like flathub.
upgrades (to a next point release or major version) are different, some can be fairly straightforward–others, not so much. and those upgrades will be more frequent, as the “lifecycle” for most linux distributions is shorter than windows’ 10 years.
It’s kind of like Windows. You just hit that shiny “Update” button and boom, your software’s up to date and more secure. Depending on your Linux distro and setup, you might not even need to reboot, which is pretty cool.
Under the hood, most distros don’t really separate security updates from regular ones for everyday apps like your browser. They just roll them all together. But for the kernel, the super deep-core part of the system, sometimes you get security fixes without any new features. That helps keep things stable and safe.
