| ▲ | reincarnate0x14 6 hours ago | ||||||||||||||||
Even slightly higher barriers greatly reduces attempts, and the developers have much more practice at it. Rootkits and such for unix/linux have been around forever, but with VMs and containers getting recycled and such and long term expectations around impermanence and thus programmatically recreated and verifiable configurations, it's a lot harder to get something to stick without being found. On top of that is the user interactivity model and software distribution model. For most non-admins the various protection schemes on Windows are a choice between "use my computer" and "don't use my computer" and thus basically meaningless. Plus there are fewer centrally managed repos because so much Windows software is hostile to being managed that way and large companies all have to build their own, and small organizations generally give up trying. Quick, hands-off integrity checks on linux can happen in the background and generally won't explode things. Logging is a factor too. Windows logging tends to be "nothing" or "tsunami" with not a lot in between, and when log monitoring solutions charge by volume and analysts have to comb through oceans of noise to identify potentially dangerous activity, the end result is much less effective watchdogs. I've seen a lot of "Windows -> low cost log monitor doing filtering -> high cost log monitor that people actually look at" due to this, which is obviously harder to manage and less effective. Most of this can be made the case for Windows, of course, but often isn't because getting Windows into a desired state is such a pain in the ass that it trains people into the "don't touch it, it's working!" mindset. Microsoft was making real strides towards this 20 years ago but their current product management has been security counterproductive IMHO. Doing things in the OS that look a lot like malware turns out to not be a good idea. When we were developing attacks for unix environments it was often easier to go after the application deployment or CI chains than try to root the box unless there was a juicy SSHD or bash or whatever bug, which have been highly publicized are usually rapidly fixed without needing major effort from endpoint managers. | |||||||||||||||||
| ▲ | Volundr 6 hours ago | parent [-] | ||||||||||||||||
> Logging is a factor too. Windows logging tends to be "nothing" or "tsunami" with not a lot in between You forgot mysterious GUID that shows up on exactly one forum post on the Internet with no solution. | |||||||||||||||||
| |||||||||||||||||