Why is Linux good for hacking?

[childofbodom]

I'm still fairly new to hacking so I may be wrong but I often hear people say that Linux is the best OS for hacking. I've been a Linux user for a long time as well as some Windows although Linux is my main preference. Maybe it's because I never used Windows a lot but why is Linux so much better for it? I've used both and never really had any issues with either. A few programs were Linux only software but other then that I never had issues.

[faazshift]

Among others...

-> Linux is built to be highly configurable
-> Linux is open-source, so you can take full advantage and even make it more powerful
-> Linux is built on the command-line, which is expediting, more powerful, and an all around better interface for the subject (as opposed to Windows being built primarily on a GUI)
-> Linux has much more capability.
-> Linux is much more secure and reliable
-> You can do practically anything you set your mind to, with the right skill.
-> Linux is more supportive
-> Linux updates/improves quicker
-> Linux is FREE

... just to name a few.

[Goatboy]

faazshift pretty much hit the proverbial nail on the head there. Only other thing I'd add is that you get points for style. Newbs are always impressed by the black/green terminal.

[thetan]

I'm a *nix addict. I run a FreeBSD server/router at my house and i've been going on a rampage at work to switch everything over to *nix from NT (need to keep one windows 2008 server around though, because CUPS blows and samba + kerberos just doesn't really compare to Active Directory).

That being said neither is better for hacking.

Linux you get to learn and play more with the actual back bone of an OS and all of the points mentioned by faazshift are absolutely correct (except maybe one but i'll get to that later). In short, Linux just enables you to be more ninja with your OS easier. However, some of the best hackers I've met in my time hanging around the "security scene" have been complete windows aficionados. One of them even earns himself a 6 figure income working as a pen tester at lock heed marting now (he's white hat to the core) and has found countless vulnerabillites in some of the web's most popular websites.

About Linux being more secure, that's a slight misconception. The absolute fact is when you compare the vulnerability count side by side throughout any point in time of any major NT release (windows) to any major Linux distro, you will notice two things. That the discovered vulnerability count for each is remarkably close and if not, statistically Linux has had more. Which is slightly remarkable considering that NT has the largest market share of OS's out in the wild, making it the most targeted system. Also, zone-h statistics ( http://www.zone-h.org/news/id/4686 ) show Linux as the most defaced/exploited OS from 2005-2007 (they used to publish these stats every year but "mofos be lazy" i guess) this however doesn't surprise me to much though as linux has now probably the largest market share in web accessible servers.

I guess my point is, your OS doesn't make you a hacker or enable you to be one. The only thing that enables you to be a hacker is your desire to learn and creativity to manipulate systems.

[childofbodom]

I guess those are good reasons. I've always enjoyed using linux. Just never saw why people preferred it so much with hacking I simply thought it was a better OS.

I guess my point is, your OS doesn't make you a hacker or enable you to be one. The only thing that enables you to be a hacker is your desire to learn and creativity to manipulate systems.

Well said thetan.

[thedotmaster]

About Linux being more secure, that's a slight misconception. The absolute fact is when you compare the vulnerability count side by side throughout any point in time of any major NT release (windows) to any major Linux distro, you will notice two things. That the discovered vulnerability count for each is remarkably close and if not, statistically Linux has had more. Which is slightly remarkable considering that NT has the largest market share of OS's out in the wild, making it the most targeted system. Also, zone-h statistics ( http://www.zone-h.org/news/id/4686 ) show Linux as the most defaced/exploited OS from 2005-2007 (they used to publish these stats every year but "mofos be lazy" i guess) this however doesn't surprise me to much though as linux has now probably the largest market share in web accessible servers.

Thetan, you're making a common misconception there.
Yes - Linux/BSD will have had more vulnerabilities. Definitely.
People seem to read that as if that's a bad thing, however - it isn't.
Vulnerabilities are in all code and will be found in both open-source and proprietary software (though proprietary generally is less secure as corners are cut to meet deadlines, etc). With open-source software, however, these vulnerabilities are found very, very quickly and are fixed with equal speed.
On Windows/Mac, customers may have to wait months or even years (on occasion) for vulnerability fixes. Fewer vulnerabilities are found (or at least disclosed) as the source code is unavailable, so finding them is harder.
Another thing is that when a piece of software has a lot of vulnerabilities, or has had a history of them, it is looked down upon. Microsoft and other proprietary software developers know this, so will do whatever they can to downplay vulnerabilities as low risk or, even worse, as "bugs".

You also comment that Linux isn't necessarily more secure. Well, by default, it is - you can't really deny that. Windows (ok sure, recently they've attempted to implement something akin to "sudo" - though it's rubbish and doesn't work very well). However, even leaving sudo out of the question, Linux has a number of advantages over Windows in terms of security - repositories being a major one.

I don't want to turn this into a Windows vs Linux rant, but I really had to dispel the misconception that the number of security vulnerabilities reported == how insecure the software is. You made a good point about the vast number of websites, especially important ones, being on Linux/BSD - making those stats a little skewed.

[thetan]

Once again, i'm a huge *nix user and i'd choose it over windows any day based on personal preference.

I still don't believe I've made a single misconception as i have not said that either one is more secure then the other. The point i was trying to make (all though looking back i realize i forgot to explicitly state), was that neither one is truly more secure then the other. Sure bugs/exploits get patched relatively fast in open-source software (not always the case in my personal experience but we'll just say this is how it is on average). However, the biggest point of failure is from the average systems administrator and this is the case with both OS's. Sure critical security patches may be available and ready to install but the simple fact of the matter is the average person (or even average sys admin at times) has the IQ of a small fish in terms of security conscious. If i were to take a guess on how many web accessible systems (and even more non web accessible systems) are still vulnerable from critical security vulnerabilities that have patches available ...... well, i wouldn't because zone-h is a half decent indicator on how many un-patched systems are out in the wild but what i'm getting at is, theirs ALOT of un-patched systems and this goes for all OS's (Can you believe theirs still recent occurences of the sasser worm showing up in small networks? )

So in conclusion, it's not that any given OS is more secure or less secure (<personal bias>unless were talking about OpenBSD, which owns</personal bias>) as what it really comes down to is, it's the people that maintain them that suck

[thedotmaster]

Once again, i'm a huge *nix user and i'd choose it over windows any day based on personal preference.

I still don't believe I've made a single misconception as i have not said that either one is more secure then the other. The point i was trying to make (all though looking back i realize i forgot to explicitly state), was that neither one is truly more secure then the other. Sure bugs/exploits get patched relatively fast in open-source software (not always the case in my personal experience but we'll just say this is how it is on average). However, the biggest point of failure is from the average systems administrator and this is the case with both OS's. Sure critical security patches may be available and ready to install but the simple fact of the matter is the average person (or even average sys admin at times) has the IQ of a small fish in terms of security conscious. If i were to take a guess on how many web accessible systems (and even more non web accessible systems) are still vulnerable from critical security vulnerabilities that have patches available ...... well, i wouldn't because zone-h is a half decent indicator on how many un-patched systems are out in the wild but what i'm getting at is, theirs ALOT of un-patched systems and this goes for all OS's (Can you believe theirs still recent occurences of the sasser worm showing up in small networks? )

So in conclusion, it's not that any given OS is more secure or less secure (<personal bias>unless were talking about OpenBSD, which owns</personal bias>) as what it really comes down to is, it's the people that maintain them that suck

I see what you mean, but I disagree. There are some operating systems that implement, through design, methods that improve security. Now, you're right, each system can be made insecure - of course. Damn Vulnerable Linux is an extreme example. However, by default and in general, I would say that Linux is more secure than Windows.
Regardless of what you said though, people do use the "linux/firefox/apache has more vulnerabilities" argument a lot to justify using a proprietary system.

[thetan]

There are some operating systems that implement, through design, methods that improve security.

Yeah like OpenBSD (OpenBSD ftw!)

Regardless of what you said though, people do use the "linux/firefox/apache has more vulnerabilities" argument a lot to justify using a proprietary system.

I've never heard any body use that argument, i always hear it the other way around.

To say that windows has only recently made attempts to improve security would be an incorrect statement as it has never really been a minor concern with them (wtf, i can't believe i'm defending these corporate shit bags). However their security concerns in the past have primarily focused on server editions (windows server 2003, 2008 & 2008 R2). They've been implementing canary flag stack protection as David Litchfield explains here (however it was defeated, yet that was back in 03, gotta give them an A for effort though). and he even says that win 2k3 server was made to be out of the box secure (and that's coming from an industry professional in security)

Funny you'd mention that annoying and rather useless "sudo" like "feature". However, in terms of real security, if you actually took the time to dive into the security policies in NT since XP or set up a windows 2008 box running ActiveDirectory and dove into the Domain (Controller) Security Policies you'd realise, holy shit, MS does know a thing or two about security.

However, as I've said earlier, MS could care less about the "lesser" people to them only running standard home editions, so they just leave them to drown. (which is retarded)

I do find it funny that MS went with Kerberos for Authentication instead of something like Radius because Kerberos was initially an MIT project dev'd under open source under the bigger MIT project "project athena"

Anyways, i'm almost out of work, time to haul ass home!

[tgoe]

I think there are some other factors at work in terms of vulnerability statistics. Open source software is generally split publicly into at least two branches: 'for users' and 'for developers'. Bugs found in 'for developers' are counted against FOSS and are fixed before becoming 'for users'. Microsoft has no public 'for developers'. Also, finding a vulnerability in Windows has an added economic incentive to be kept secret. Add to that that IE is an essentially force-fed part of Windows which may not be counted in an OS vulnerability assessment... Pick any random open source *nix vs Windows with fish-IQ'd admins distributed evenly; which is worse from a security standpoint? Windows.

Security has always been a minor concern for Microsoft and this won't change until their monopoly is threatened.

I'd also add that zone-h is near worthless: out of date and biased.

Anyway, *nix is good for hacking because *nix is built by hackers for hackers who want to hack on *nix.