Gone

The cynics guide to securing the desktop ..

Security, is expensive, is time consuming and management can't be bothered, much easier to have a number of meetings and then produce a report demonstrating your compliance ..

I don't think there is a "most secure" operating system.

When it comes to the "most secure" the biggest issue is training, admins of any OS have extremely variable levels of competence and so do the users. A highly competent user and administrator on a more inherently insecure operating system (pick windows as an example) will actually deliver a very secure enviroment through not undertaking dangerious activities and hardening the system against unauthorised code execution/access.

An incompetent user and administrator on a computer with what may have a better security model (say *nix) who hasn't bothered patched anything because "linux doesn't need patches because it's more secure" who also runs as root is a walking security disaster.

Comparing the technical merits of two operating systems is easy out of the box, but who actually uses a box in it's out "of the box" configuration besides a few zealots? Ultimately the security of the system is going to depend entirely on the competence of it's users and administrators, and I think that it is very, very difficult to compare the expertise of administrators on two utterly different operating systems.

Users

From a security viewpoint it doesn't really matter what OS you use, if you have totally untrained users who will click on "See <insert name of starlet> naked" links without thinking.

Live DVD running TAILS

https://tails.boum.org/

but check your crypto signature

ZX80

Easy. It's an unexpanded ZX80. No one will be able to hack that sucker!

My elderly neighbor has the worlds safest computer

My next door neighbor had an old p3 computer. It was the safest in the world.

1. It was never hooked up to a network

2. No usb sticks were used

3. He only uses the software that he bought with that computer,

4. He never played a cd or dvd.

Sadly in the world today, if any one of the above activities are violated, the risk goes up no matter what operating system you use.

Anyone claimed VMS yet?

Hmm?

Most secure desktop tool: an abacus. Nuff said.

UX built to CC 3.1r4

Alias "defense-grade OS". EU implementation as ITSEC E6. Main precursor was DoD Orange Book. HP Labs probably had the first alpha of HPUX-10 to OB standard in the mid 90's but (officially) abandoned due to cost. Yes; it's "UX" - "nearly" Unix/Linux. There are versions today but not available commercially. Closest commercial relative - Linux!

negating it

I would agree with the sentiments of defining what's secure really means first. I'd say OpenBSD, and hardened GNU/Linux or *BSD. A supported up-to-date (out of the box) GNU Linux is secure enough for the mundane stuff.

The "big target" theory is a hypothesis and might be too farfetched. We are not being offered any numeric connotation. What is a big target, what is a small target and what that relationship to security of OS is, exponential, polynomial or logarithmic?

One way to decide about the question though is to rule out some candidates. So answering the question, which (family of) OS's are most insecure, I'd definitely say that it's Microsoft Windows.

Please define...

"Secure Desktop". In the comments I've seen all sorts of definitions. Some make sense, but others don't. About the only thing that most will agree on is that a simple calculator is "secure". The problem is that it lasts only until someone divides by zero.

Oh, well.

Desktop security is all very well, but you need to look at everything as a whole.

Up until a few months ago KDE looked pretty good, then they nearly lost all their entire codebase because some programmers were in charge of the hosting infrastructure and thought that replication was the same as backup. When the inevitable happened, the only thing that saved the entire KDE project was that one node had been taken offline the previous day for disposal. ie: Total luck.

The upshot is - if you have the most secure OS/Desktop in the world, that's nothing if for some reason you can't install a new version because, it's owners went bust or a malicious employee destroyed the codebase or there was an accident, etc.

Qubes OS

http://qubes-os.org/trac/wiki/QubesArchitecture

or at the very least, using Virtualbox to isolate different activities on your desktop.... I never browse the internet in the same OS/VM as my main day-to-day work.....

Where the Hell is Eadon?

I skipped the article and went straight for the comments to get my daily dose of MSogyny.

Only one poster accused of trolling, and it was pretty poor fair at that. Not enough capitals. Everyone else just being quirky, or reasonable, or a tad silly, or a bit too serious.

This is not what I come to expect. I demand to know if Eadon has been booted off. If so, let the cry go up.... 'free the Register one!'

OpenBSD is my pick for most secure

Id say the most secure OS you can deploy on a desktop is OpenBSD. I'm not denying that Linux has come a very long way, as has Windows and even OS X though I still have issues with the way Apple does things in regard to security, but as far as overall security goes OpenBSD's pretty much focused on it. The functionality is pretty easy to learn if you know any of the unix-like or UNIX operating systems.

Keep in mind though, there is no such thing as a completely secure information system. There are layers of security, as the principle of defense in depth applies of course, and a well defended system can be very difficult to crack, but nothing is completely secure. Believing that noone will ever be able to nail you is simply delusional. There will always be a vulnerability which can be exploited somewhere.

Whonix

The Whonix concept of running 2 virtual machines, one as a desktop and the other as a TOR anonymiser. The concept can run on any OS, however I prefer Linux as the base using Virtualbox or KVM. A lot of progress has been made on KVM. When WIN 7 gave me crap about installing a legal copy on my tower, I installed linux and Win7 in a virtual machine. I am NOT a gamer so that is not a consideration.

I also would run different flavors of Linux as the host and guest, just to make it more secure. I would pick the flavor (or 2) I like best as guest and use another for host.

It's the oldies but goodies...and the oddballs

Two of my nominations (VMS and AS/400, both of which I learned to program on) have been mentioned, but I will add:

1) BeOS

2) NeXT

3) Plan 9 (running on a Raspberry Pi, of course)

4) I've listened to all of the Commodore 64 and other ancient PC nominations with a laugh. Too common. You want secure? Ohio Scientific Synmon OS for their C1P model. I still have mine in the loft...now THAT is secure.

Critical Infrastructure

I've worked for several Critical Infrastructure customers in my career. Without exception, they all run Linux on the desktops that are used to manage the actual critical infrastructure. Being involved in both security and infrastructure administration, I can tell why they chose Linux.

1) Long term support. They all chose a distribution that would give their desktops an 8+ year life cycle. This was guaranteed at the moment they chose. Neither Windows nor OSX get promises like these at the launch of a new version.

1a) Portability; applications are usually easy to use on newer versions of linux. I've seen applications go for over 20 years. Both OSX and Windows don't have that track record. Granted, those applications came from UNIX, but still.

2) Customizability. Making an OS secure in the exact situation you are facing, requires good access "under the hood". Both OSX and Windows lack a lot here. They may have improved a lot, but they are still behind. Mind you, even if you have reasonable tools, it's still a highly specialized job and getting it right requires experts regardless of the OS you choose.

3) Designed as multi user, default deny, separate admin and user roles. Both Windows and OSX are designed for users first, then admin layers are added. Admin tools assume (partial) administration by the user. Because of the security model, there are large parts of Windows and OSX that are on "default allow" and only shielded by very thin security measures. This gives malware a big(ger) chance to break through on those than on (well implemented) Linux. For a critical infrastructure desktop you want something that just works and that is administered by people that are skilled admins and security experts, regardless of the OS.

Why not some form of BSD or Solaris? There is no commercial support for BSD easily available. If you want a vendor to support you because of hardware problems, you won't find hardware that will do so. Finding admins that are expert on both security and configuration of any of the BSD flavors will be difficult. This doesn't mean that some form of BSD isn't potentially as good as Linux, but that in practice, getting it up to that level is much harder for an organization. Getting Solaris supported is a pain and costs much more than Linux. The moment you run your own applications, all support is practically useless, so going that route is a dead end.

It's VMS.

It's as simple as that.

The one where you have the freedom and access to see how it works and what it is doing, and free to make it as secure as you like.

There's always one...

...muppet who thinks that viruses are predictable based on the "bums on seats" measurement and that therefore if Linux were the number 1 OS, that it would suffer as much as Windows currently does.

Nothing could be further from the truth.

It's like saying that because your toy canoe couldn't cope with a North Atlantic gale that any vessel designed for ocean going could also not withstand a North Atlantic Gale. Of course, the makers of your toy canoe are going to pitch this line at you, they don't want you to go and buy a vessel capable of such conditions, they want you to keep buying toy canoes and all the strap on extras they and their partners provide to make your toy canoe appear as though it could cope with a North Atlantic Gale. Which it wil never be able to do, because it's a toy. Toy canoe makers rely on urban myths and ignorance to maintain their sales figures. Real sailors are getting really tired of explaining the difference to sunday afternon toe dippers.

I'VE GOT IT !!!

ESXi

1. You never interact with it.

2. Everything runs in an instance which is fired up and then shut down.

3. It can be setup so entire domains running on it have no access to the files that are the ESXi OS.

4. Never seen or heard of a virus targetted at it.

5. Exploits are pointless since you only ever talk to a host OS running on it.

It's a bit bull in china shop ... and built for servers (big ones at that) ... but it makes an awesome desktop OS to host your "environment".

Also means you get the best of all worlds since you can run any OS on top of it!!!

The way I see it there's only 1 "unauthorised" way in ... take the hard drive out and plug it in to another pc then access the files.

LegOS

LegOS. It runs purely on the popular building-block platform and therefore only exists in the human imagination.

Apps on top of OS

I personally feel that the browsers or applications(that uses internet communications) that run on top of the OS can compromise the OS faster than the OSes themselves. But nothing beats a cinder-block on top of hand written paperwork. Just had to say something for NSA to read.

Secure Operating system

Ok Bill Gates was once asked what is the most secure OS he ever made. His answer was a computer that is never hooked up to the internet. As for the most secure OS he ever made is Windows 95 because you can not network more than 5 computers together. But I have proven this to be wrong also. I have loaded Windows 95 on a 2002 ASUS computer and gone online and surfed the net just fine. A little slow at loading web pages but it worked. So therefore there is no secure operating system. Even Apple and Linux are both vunerable if you know how to wright code.