What's the Best Linux Distro for Enhanced Privacy and Security? (linuxsecurity.com) 95
Slashdot reader b-dayyy quotes the Linux Security blog:
While all Linux 'distros' — or distributed versions of Linux software — are secure by design, certain distros go above and beyond when it comes to protecting users' privacy and security. We've put together a list of our favorite specialized secure Linux distros and spoken with some of their lead developers to find out first-hand what makes these distros so great.
This "favorites" list cites six "excellent specialized secure Linux distros." Some highlights from the article:
This "favorites" list cites six "excellent specialized secure Linux distros." Some highlights from the article:
- In a conversation with the LinuxSecurity editors, Qubes OS Community Manager Andrew David Wong elaborated, "Rather than attempting to fix all of the security bugs in software, Qubes assumes that all software is buggy and compartmentalizes it accordingly, so that when flaws are inevitably exploited, the damage is contained and the user's most valuable data is protected."
- A Kali Linux contributor provides some insight into the distro's history and the benefits it offers users: "Named after a Hindu goddess, Kali has been around for a long time — but it's still updated weekly, can be run in live mode or installed to a drive, and can also be used on ARM devices like Raspberry Pi."
Obviously there's strong opinions among Slashdot readers. So share your own thoughts in the comments.
What's the best Linux distro for enhanced privacy and security?
You don't have to be Kreskin (Score:4, Insightful)
FreeBSD
Re:You don't have to be Kreskin (Score:5, Informative)
OpenBSD of course.
Re:You don't have to be Kreskin (Score:4, Informative)
The Privacy thing is crapola noise. Privacy is a part of Security, and stating it separately is a distraction at best.
Re: (Score:2)
Neither should be considered best Linux distro as none of them are one whatsoever.
Re: (Score:2)
Neither should be considered best Linux distro as none of them are one whatsoever.
That seems unfair given that *BSD is where Linux gets some of its best code. :-)
Re:You don't have to be Kreskin (Score:4, Insightful)
I came here to say the same thing. I don't know of any Linux distribution that has the same level of paranoia of that seen in Theo de Raadt, and when I say paranoia I'm of course making a joke as sometimes people really are out to get you. :-)
Re: (Score:2)
There’s the old joke - “just because you’re paranoid doesn’t mean they aren’t out to get you.”
Re: (Score:2)
thatsthejoke.jpg
Re: (Score:2)
Re: (Score:1)
It's funny when you go to that LinuxSecurity article, your swamped with popup's to turn your adblocker off and I also presume nerwsletter requests. I then imediatley did not bother to do anything and just shut the article down.
A security site that wants your data to tracker you via ads and newletters
Re: (Score:1)
It's funny when you go to that LinuxSecurity article, your swamped with popup's to turn your adblocker off and I also presume nerwsletter requests. I then imediatley did not bother to do anything and just shut the article down.
A security site that wants your data to tracker you via ads and newletters
Your browser security is the problem. You need a "default deny" blocker. NoScript / UMatrix etc. I've often thought about this and decided that maximising the annoying advertising on the internet is the only way we will ever get people to think about the fact that they are, by default, unthinkingly running unknown code from untrusted developers every time they go to a web site.
Re: (Score:3)
It's funny when you go to that LinuxSecurity article, your swamped with popup's to turn your adblocker off and I also presume nerwsletter requests. I then imediatley did not bother to do anything and just shut the article down.
A security site that wants your data to tracker you via ads and newletters
Your browser security is the problem. You need a "default deny" blocker. NoScript / UMatrix etc. I've often thought about this and decided that maximising the annoying advertising on the internet is the only way we will ever get people to think about the fact that they are, by default, unthinkingly running unknown code from untrusted developers every time they go to a web site.
His statement was about the trustworthiness of a site. The degree of his browser security, however improvable, does not help in judging the trustworthiness of a website, when it hides all such things from the person who's viewing it.
Re: (Score:1)
His statement was about the trustworthiness of a site. The degree of his browser security, however improvable, does not help in judging the trustworthiness of a website, when it hides all such things from the person who's viewing it.
Even with first party JavaScript turned on, the site worked completely perfectly for me and gave no security message so I could read the page fine. That means I can judge the message and not the messenger. If there's a problem then it comes from allowing third party Javascript on the site, which seems to me to say more about AC's security than about the sites' security. I like the principle of ruling out and ignoring sites that work by advertising, however that would mean 99+-1% of the internet and so wo
Re: (Score:2)
His statement was about the trustworthiness of a site. The degree of his browser security, however improvable, does not help in judging the trustworthiness of a website, when it hides all such things from the person who's viewing it.
Even with first party JavaScript turned on, the site worked completely perfectly for me and gave no security message so I could read the page fine. That means I can judge the message and not the messenger. If there's a problem then it comes from allowing third party Javascript on the site, which seems to me to say more about AC's security than about the sites' security. I like the principle of ruling out and ignoring sites that work by advertising, however that would mean 99+-1% of the internet and so wouldn't leave much left for me.
Nothing about this is about someone's browser. And the statement about the site's trustworthiness wasn't about what he was allowing his browser to load and show, either. It was about the site's genuine content, which says visitors are demanded to switch off their adblockers, and which doesn't let people to opt out of cookies, either, which they admit to use for tracking users. And the question was why someone should trust a site on subjects like Linux security, of all things, which does things like that. If
Re: (Score:2)
I do not allow cookies. I do not allow Javascript from third party sites. I do not allow any adverts. I blocked everything and the site did not show me a popup because the popup relied on Javascript. If you saw a popup that means that your blocking systems are broken. That is your problem and you need to be grateful to the site for showing you that without actually hacking you.
I've now had three people tell me that a) they saw a popup and b) that's the fault of the site. Each one of those people has ef
Re:You don't have to be Kreskin (Score:4)
Your browser security is the problem. You need a "default deny" blocker. NoScript / UMatrix etc. I've often thought about this and decided that maximising the annoying advertising on the internet is the only way we will ever get people to think about the fact that they are, by default, unthinkingly running unknown code from untrusted developers every time they go to a web site.
He already has that. That's how he knows the website is trying to track him an invade his security.
Noscript is so fascinating, Some sites (ahem, /.) have whole armies of script trackers. It is interesting to look up who they are, BTW.
While there are a few that are innocent, like fonting scripts, most are there to turn you into data.
Re: (Score:1)
Pick your favorite distro (Score:5, Informative)
Re: (Score:1, Interesting)
Any modern computer should be considered compromised. No tool will help you.
The best protection for privacy and security is to disable the network card and remove any wireless adapters, including bluetooth and that wireless keyboard and mouse. When a network is needed in company or home-setting, make sure to not have an internet-facing router.
As far hardware goes, even that cannot be blindly trusted. Almost anything built this century could be compromised.
So, until Linux runs on a Commodore-64, there's no s
Re: (Score:2)
Re:Pick your favorite distro (Score:5, Interesting)
What's that? Was just answering the question...
It's a fair comment put badly I think. If your distro was insecure by default then adding things won't make it fully secure. Once the underlying system is compromised, that can always be used to compromise the things on top of it. Anti-virus and all that stuff are just (useful) patches over the top of an infrastructure that's already falling apart. If your bridge is being held together with scaffolding, now is the time to start building a new one.
Restarting, as some people are trying to do, re-writing the whole bottom layer of the operating system in some language like Rust, trying to include security from the beginning might help. Getting completely rid of binary blobs that nobody has time to analyse properly and inevitably end up having massive holes discovered years later would be a big improvement. Running on systems without things like Intel Management Engines and all of the security bugs in recent Intel processors would really help. Ensuring a stronger (GPLv3) license so that its more difficult for vendors to make and hide fixes and doing proper enforcement on it would help.
It's a bit of an impractical thing to say today, but getting to a much more secure environment based around a properly audited, securely written, clearly defined trusted computing base, running on well understood, reasonably verifiable open source hardware is a great vision for the future. Anyone who's working on that needs support.
Re: (Score:2)
The best protection for privacy and security is to disable the network card and remove any wireless adapters
better rip the whole thing out. although the only way to be sure is to nuke it from orbit!
Re: (Score:3)
Why are you on slashdot?
Re: (Score:2)
The best protection for privacy and security is to disable the network card and remove any wireless adapters, including bluetooth and that wireless keyboard and mouse.
This [thehackernews.com] is from 2014. There are a few other methods as well, but I'm sure you can google them. The best protection for privacy is to keep everything in your head. Of course, that is, until someone points a gun to your daughter's head and tells you to spit out whatever you're hiding in your head.
Re: (Score:2)
Pick your favourite Linux distribution, install it, and unplug and power sources to the computer. Secure. The functionality sucks but at least it's as secure as it will ever be without putting the computer into a national gold reserve.
anything (Score:5)
Re: (Score:3, Funny)
without systemd. security and systemd are mutually exclusive.
I use Slackware.
Re: (Score:2)
Eh? It's a featured "hot" comment for underrated mods?
Re: (Score:1)
Yup, that's what I was going to say... I wish I could give you a +100 insightful for your message
Re: (Score:2)
OK, sure. Can you supply some recent CVE's that are due to systemd? Anything in the last 12 months will do.
Secure by design? Really? (Score:5, Insightful)
While all Linux 'distros' — or distributed versions of Linux software — are secure by design
What the fuck is OP talking about? Didn't we have major security flaws in linux that were decades old?
How does anyone manage to generalize that linux is 'secure by design'? Parts of it, maybe. But linux as a whole?
Re: Secure by design? Really? (Score:3)
Re: Secure by design? Really? (Score:5, Informative)
Please mod parent up! There is no secure by design, security is a process, and the question here is which distro makes that easiest.
You need both. You can have the most brilliant processes but if the code on your mail server lets attackers straight into ring zero [theverge.com] then you have lost. If that attack is a zero day that you don't know about and they remain in memory making themselves invisible to other processes then the rest of your security processes will never activate. You cannot plant great trees on a swamp without draining it first, otherwise, even if they get tall, they will fall over at the first strong wind.
Security processes and defence in depth are great but secure design, such as OpenBSD's old decision to turn everything off by default are crucial. Sandboxing and separation like Qubes can be helpful. There's still lots to go in getting secure design into default Linux distros.
Re: Secure by design? Really? (Score:2)
Re:Secure by design? Really? (Score:5, Informative)
Re: (Score:3, Insightful)
It's based on the outdated notion that Unix is secure by design because it has user accounts and file access permissions.
These days the baseline for security is at least a sandbox and system of granular permissions. If anything Linux has actually fallen behind a bit in that regard, although some of the modern container systems are not terrible.
Re: (Score:3)
Re: (Score:1)
Anything, as long as ... (Score:2)
Re: Best for privacy and security? (Score:1)
Uum, DOS could be connected to a network just fine.
Install a card, install the stuff from the floppy, there you go.
It’s All Degrees (Score:5, Interesting)
Edward Snowden uses the Tails distribution of Linux: it runs directly off a CD or DVD (read only media) and writes nothing to the local machine. But can you trust the underlying hardware? We know that it is possible to rewrite a BIOS to include malware and then have the corrupted BIOS re-infect any OS that is installed on the machine. Heck, this can now be done from malware included in hard drive firmware...
As to privacy... Well, with all that we’ve learned, I think the question reveals more about the lack of awareness of the person who asked it than anything. There is no privacy on the internet any more. You might think you’re secure if you use a VPN, or if you use TOR or similar, but the internet’s protocols were simply not designed to be secure from the get-go and over the last 40+ years advances in technology have stripped away privacy; So if it’s privacy you want, you shouldn’t be using the internet.
Re:It’s All Degrees (Score:5, Insightful)
Re: (Score:3)
My recommendation would be Tails on Libreboot.
When it comes to privacy and security, you have to accept that you must not try to re-invent the wheel, but use tried and tested methods.
You must also accept that you may not understand the full implications of deviating from an established privacy enhancing method in seemingly small ways.
A secure system for a technical user is one thing. But recommending such systems to non-technical friends is anoth
Re:It's All Degrees (Score:3)
Osama Bin Laden trusted the internet so little that he didn't have an internet connection in the compound where he was staying. Computers there were not connected to any network and messages were exchanged on thumb drives carried by trusted couriers. Not remotely practical for the rest of us - and it didn't help him in the long run either.
You would think that companies like Apple, wanting to use privacy as a differentiator, would design their products to not give a
Re: (Score:3)
As to privacy... Well, with all that weâ(TM)ve learned, I think the question reveals more about the lack of awareness of the person who asked it than anything. There is no privacy on the internet any more. You might think youâ(TM)re secure if you use a VPN, or if you use TOR or similar,
People have never at any time in human history had more easier and cheaper access to technology that would enable them to securely and privately communicate with anyone on earth without anyone so much as knowing communication is taking place.
"The web" of spectators on the other hand is another matter entirely.
but the internetâ(TM)s protocols were simply not designed to be secure from the get-go
This is a feature not a bug. There is ZERO reason private communications cannot take place over completely insecure open channels. The alternative is tyranny.
and over the last 40+ years advances in technology have stripped away privacy; So if itâ(TM)s privacy you want, you shouldnâ(TM)t be using the internet.
No people wielding technology did that.
Re: (Score:2)
See here [kieranhealy.org] for an excellent example.
There's a chance that where you as an individual stand on any given "interesting persons" list will define the level of monitoring of your activity. So an astute SigInt unit won't try and read everything you do or every site you visit unless/until you do something to t
You couldn't make this up! (Score:4, Insightful)
Re: (Score:2)
Just use a blacklist of distros (Score:2)
I think in the Linux world basically every distro fits the target use case, except Ubuntu, as Canonical has already started collecting telemetry (which you could turn off). ... I don't know can someone here say if Chromium phones home or is that just Chrome itself?
Same goes for browsers. Basically any except Firefox as Mozilla also constantly asks for Telemetry and
Slashdot Trigger Warning? (Score:5, Insightful)
So far, feedback has been 1% useful, and 99% nerds bitching and whining about the definition of "privacy" and "security", and how the internet isn't what it used to be. Do we need to start including trigger warnings with these questions? I mean damn. That escalated quickly.
I would generally agree that distros that focus specifically on privacy (e.g. TAILS, etc.) are probably best for that. That said, anyone who has installed a stripped-to-the-bones default version of OpenBSD, notices obvious sacrifices when focused on maximum security.
It's all about balance, and what your needs are at the end of the day.
Re: Slashdot Trigger Warning? (Score:1)
You must be new here! :)
I suggest you go back to Tumblr, if this is not your style. Because, I'm sorry, this ain't gonna change.
My hobby distro: Hammer Time Linux (Score:2)
Re:My hobby distro: Hammer Time Linux (Score:4, Funny)
So the feds...can't touch this?
Re: (Score:2)
Re: My hobby distro: Hammer Time Linux (Score:1, Flamebait)
Oh kid.
They do not knock.
The entire idea is to surprise you before you can react.
E.g. if they want access to your phone, they wait until you unlock it, then tackle you while one person's only job is to grab your phone so it doesn't lock.
(Try to train just grabbing your phone really tight when you're surprised. Usually, you hit the power button that way, locking it. And if you can hold on to it long enough, it would even force a reboot, lockijg everything up.completely.)
And for your desktop PC.... I'm sure t
What about hardware? (Score:5, Insightful)
Re: What about hardware? (Score:1)
Enjoy googling "dopant-level hardware trojans".
Yes, those exist in the wild now.
Don't ask me how I know.
Re: (Score:2)
Re: (Score:2)
The "Blackbird" is backordered, but I've sent a query on availability. A new POWER9 would replace a current microATX PPC.
It's an old browser bookmark of mine, so thank you for mentioning them.
Re: (Score:2)
The closest I think you're going to get to this is Purism: https://puri.sm/products/libre... [puri.sm]
They take security pretty seriously, to the extent that you can buy a GPG key from them and install their version of Coreboot, which will then validate itself and check to see that none of the main OS files (kernel, initramfs, etc.) have been changed. The last I heard, they still have one blob from Intel in the firmware set that they haven't been able to get rid of (yet), but they're working towards it.
As for the OS
Re: (Score:1)
Just like MS Windows it doesn't matter (Score:2, Interesting)
Kali is not designed to be Secure (Score:5, Informative)
It just switched from "everything running as root" to at least have a dedicated user account recently (year or two, don't remember exact).
But still, it's designed to get stuff done during a pentest.
It's an awesome distro, don't get me wrong. It's just that it is not designed to be a secure OS for a regular user.
Re: (Score:2)
However, running most of your system as non-root is NOT a security theatre. It might seem so, but security needs layers. There is a reason privesc is it's own step in compromising a system. On a well configured system it is not trivial to do. It also makes some noise and generates an audit trail that can be detected (n
Whonix on qubes (Score:3)
No software is secure, just turn on SEL and FW (Score:3)
All software is crap written by flawed humans, full of holes and bugs just waiting to be exploited. To help mitigate flawed software try using SEL (Security Enhanced Linux) and FW (Firewalls) on your favorite Linux distro. There will be a learning curve but you will have a much more secure system.
Turn on SEL (Security Enhanced Linux) from the NSA, I believe you can turn it on in any kernel that supports it.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Turn on Firewalls or iptables
https://opensource.com/article... [opensource.com]
Live long and prosper my friend.
This is easy (Score:2)
Re: This is easy (Score:1)
Assuming they are able to make the choices.
E.g. I find neither any Chrome-like nor Firefox even remotely acceptable.
But apart from writing my own browser, and single-handedly changing the entire web, I use Firefox, simply because I lack the choice. Not because it was any good.
No disro is worth a damn, with a PEKAC flaw. (Score:2)
In the end, the users still choose flashy crap over quality.
Just look at how they went from WhatsApp to Telegram instead of Signal. (Because it has bots and stupid stickers. Instead of actual end-to-end encrypted push messages by default.)
Or how they chose Zoom over Jitsi Meet.
You cannod save a bunch of people that lack the clue to not harm themselves, by adding even more rubber and restraints to the rubber cell. All you achieve, is even more clueless and careless users (because they can), until you complet
I use (Score:1)
Oh, the irony! (Score:2)
When I clicked on the link to read about "Secure Linux Distros for Security and Privacy", I was presented with "please disable your adblocker to read this article."
Linux Security (Score:1)
Depends what you need it for (Score:2)
Arms dealing, human trafficking, drug smuggling ...
Wrong place (Score:2)
Most of the problems are at the application level, especially for privacy.
No OS is going to protect you from a browser that allows 3rd-party cookies or an email program that doesn't filter out embedded tracker images, unless it's an OS that doesn't have networking.
Re: (Score:2)
An OS can't protect you from a bad app giving away your information that you've put into that app. However, an OS should protect you from an app misbehaving, whether intended or through ill ways, and accessing your information in ways that the app does not have normal permissions for. An app shouldn't have access to RAM not in it's address space, or be able to read the keyboard buffer when it doesn't have the focus (ie a key logger), or a multitude of other ways that have been worked out to steal your infor
TAILS obviously (Score:1)
It;s been rumored that if any downloader of TAILS will be put on a special NSA "interest" list, since they know anyone using it must have something important to hide.
Not even quality clickbait (Score:2)
These are NOT "Best Secure Linux Distros for Enhanced Privacy & Security", the list is a mix by someone too lazy to post a focused article and doesn't belong on Slashdot. Listing a mix of pentesting tools and distros for secure use (Qubes etc) is lame and like most "distro list" articles relies on padding instead of content.
The pentesting distros aren't for secure USE, they're for PENTESTING. That's like listing a mechanics toolkit as an automobile.
Why do the editors post such trash? Noobs (who need qu
Re: Not even quality clickbait (Score:2)
+1 to parent. A Linux environment optimized for penetration testing is arguably the WORST environment for being actually secure for normal use, precisely BECAUSE a pen testing environment, almost by definition, has to enable you to bypass & defeat normal host OS security measures. If YOU can defeat them, so can targeted malware running as you.
Likewise, 'secure' doesn't necessarily mean 'private'. Just look at Android. Most Android phones are quite robustly secure insofar as Verizon and copyright holders
"Good enough"... What is your comfort level? (Score:4, Insightful)
There are a lot of arguments about privacy and security, but for the most part, going with a mainstream distribution (Ubuntu, Debian, Arch, CentOS, Red Hat) is going to be "good enough". Something like Ubuntu is a decent distribution not just for security, but finding out how to fix a glitch or dealing with an issue, since there is such a large installed base, there is a good chance, someone encountered the same problem.
If that isn't enough, there are other solutions:
QubesOS comes to mind as something for virtualization and separating workloads from one another.
Tails Linux is built from the ground up for privacy and deal with focused attacks.
However, what is your threat level? Are you just wanting to keep the random bad guys off your system, or do you have a well-heeled adversary after you, like a nation state? Are you worried about LEOs?
For most people who haven't honked off a major superpower, and if they are attacked, it is just a random probe, a mainstream Linux distribution is good enough, especially if you have basic stuff like firewalling turned on, and have some decent backup mechanism. Bonus points if you have a solid hardware firewalling router, so one's machine is never exposed on the Internet.
I personally use BorgBase, with my keyfiles printed out and stuffed in a safe offsite. Because physical smash-and-grab breakins is a concern, all my Linux stuff is LUKS protected for boot volumes, ZFS encrypted for zpools, VeraCrypt protected for external media, or CryptoMator/eCryptFS/EncFS if I have to use a file/directory based mechanism. This way, if something does get stolen, it is a physical write-off, and a restore from off-site.
Always consider what security threats you have. Yes, you can run offline, and have a courier network with , m of n encryption, and guys with briefcases with handcuffs on them, but for the most part, most people's data just isn't that valuable, and eventually it will be too fatiguing to keep working with.
I'd focus on having a solid firewalling router, a decently updated Linux distribution, full disk encryption, and good backups before worrying if there is some magic backdoor that some dudes in Lower Elbonia are going to go after. However, this is assuming you don't have any high-zoot enemies. If that is the case, all of this goes out the window, and it might be wise to go with Tails Linux, and a lot more precautions.
Re: (Score:2)
Thanks for the only mention of virtualization, especially since I don't recall having heard of QubesOS. Sounds like it will be a useful benchmark OS for my weird situation...
Whoops. Turned out to be the other way around. QubesOS is apparently optimized for hosting virtual machines, not running as a virtual machine.
Which leads me to ask why there's no mention of the Chome OS? (Just a couple of mentions of the Chrome browser.) Not even a mention of Gentoo? Major problems in privacy or security or the EVIL goo
Obvioiiusly (Score:2)
Debian, of course. It's the canonical answer to all varieties on the theme "which distro is best for ...".
Ubuntu is the Canonical answer (Score:2)
Debian is the Debian answer/
Lindows (Score:2)
Kali is not secure (Score:2)
Check (Score:2)
SELINUX