Thoughts on security of Kicksecure (debian based linux distribution)??

GrapheneOS

ryrona Debian adds an extremely large number of people, many of whom have demonstrated themselves to be highly unethical and untrustworthy. They're not just writing source code since what they write is trusted to obtain and build the packages. Not doing the builds themselves doesn't mean they can't include and ship binaries themselves. Many Debian packagers participating in things like stalking and harassment heavily draws into question trusting the software. It is a much different situation than most community or corporate projects. It's a huge number of people who are trusted and there's nearly nothing done to make sure that group of people is trustworthy or to address people demonstrating they're untrustworthy.

And calling out Debian's poor track record of getting security fixes out, while Google is providing information to attackers about Android vulnerabilities 3-4 months before publishing security patches to fix the vulnerabilities seems a bit unfair.

Debian packages a lot of software regularly having long embargoes. That includes but is far from limited to software covered by the Android embargoes. There are regularly embargoes for the Linux kernel and many other projects, and some are quite long. These are regularly breached and patches sometimes get shipped early by some projects after that happens.

At least Debian gets out fixes for many high and critical severity vulnerabilities within days of the vulnerability being discovered,

That's not the case at all. They frequently go weeks or months without patches for the browser, etc.

I don't think there are much reasons to call out on bad security track record in one project, when there isn't really any project with a good track record.

Debian has a much worse track when it comes to updates and introducing downstream vulnerabilities than most other mainstream Linux distributions.

ryrona

GrapheneOS It is a much different situation than most community or corporate projects. It's a huge number of people who are trusted and there's nearly nothing done to make sure that group of people is trustworthy or to address people demonstrating they're untrustworthy.

Believe me, there are a lot of users and downstream projects that are auditing Debian. If the "anyone can submit packages to Debian" approach constituted a significant risk, we would have seen that by now. The biggest problem with Debian isn't in and of itself this, but that no noticeable security or privacy improvements have been implemented at all since like 2011. Debian has increasingly become obsolete as a project, and unsuitable to build security and privacy focused projects on. While Fedora for example has many running projects to improve security and privacy, projects that are delivering.

GrapheneOS Debian packages a lot of software regularly having long embargoes. That includes but is far from limited to software covered by the Android embargoes. There are regularly embargoes for the Linux kernel and many other projects, and some are quite long. These are regularly breached and patches sometimes get shipped early by some projects after that happens.

My point was that in AOSP all security vulnerabilities are disclosed 3-4 months before fixes are allowed to be published. There are embargoes in other open source projects too, but not in most. I have seen Debian having fixes out for high and critical severity vulnerabilities within 3 days of a vulnerability being discovered on many occasions. We will never see that in AOSP. Other projects are releasing patches to fix vulnerabilities quickly, but aren't allowed to disclose information about what the vulnerability is beyond the patch fixing it. In fact, that is the most common kind of embargo I see in open source projects. And that makes way more sense than what AOSP is doing.

I just wanted to say your statement is a bit unfair. I am not saying Debian has a good track record at all of getting fixes out, I very much know they don't. But AOSP is also terrible in this regard, and you know it.

GrapheneOS

mushix99

If not mistaken, Kicksecure does compile the kernel with custom config parameters, hence doing hardening beyond syctl. They seem to provide a variant hardened-vm-kernel, which ad-hoc compiles the kernel on local machine for unique kernel pointers, and reduces hardware options to a minimum for faster compile time and better security.

You've linked an outdated page from when madaidan was involved in the project. Kicksecure is now hostile towards GrapheneOS, secureblue and linux-hardened.

Maybe that is due to Kicksecure's interdependence with Whonix incl. Tor Browser, which prioritizes anonymity/privacy over security. Tor browser has its own place in terms of anonymity and can't be easily substituted by Chromium-based browser - browser fingerprinting is such a difficult topic on its own. Chrome is a terrible privacy choice, Chromium still has quite a few Google dependencies - iirc that is why Ungoogled Chromium exists. I think to have encountered rare tracking connections (Google) even with Vanadium in the past, but that might have been solved by recent versions. It would be interesting to know, how secureblue's Chromium browser behaves with in this regard. But yes, you're are right, Chromium is the better choice from pure security perspective.

No, these claims are highly inaccurate and misleading. Firefox has much worse privacy and security, and it would be dramatically harder to reach the same point obtained with minor changes to Chromium.

Interesting point, actually never heard of this perspective . But doesn't Flatpak, which is advocated by secureblue as primary installation method, have a similar issue, with need to trust many individual developers? Debian at least is one responsible organization unit.

No, Debian has a massive amount of people who are trusted with nearly zero vetting or oversight. Many have demonstrated they're highly untrustworthy. Many have actively abused their positions. Debian trusts not only the upstream developers but also this large group of additional people, who are much less trustworthy overall than the upstream open source developers based on their actions and statements. Flatpak does not provide a proper app sandbox or permission model but it's at least substantial progress towards it.

But so can Kicksecure, it's even installed as default? Flatpak internally uses bubblewrap sandbox, so to harden Debian repo packages for Debian/Kicksecure I am wondering, if it makes better sense to directly use bubblewrap - or other sandboxes like systemd hardening options, firejail which all make use of linux namespaces, seccomp, capabilities or cgroups to more or less extend. Advantage of secureblue is, it comes with secure defaults, which makes it very convenient to use.

No, this is completely wrong. You cannot simply use these things to contain desktop applications. The applications need to be made to work within a sandbox. You're describing individual security features or controls rather than an app sandbox. Firejail also has a history of extraordinarily poor security and does not do what it's supposed to do.

I wish they would use Librewolf as substitute for Firefox, to make up for Firefox telemetry and ad connections. As stated above, it depends on chromium build at hand, how privacy-friendly this browser behaves. I gladly would take Chromium with ad blockers like U-Block Origin for security and privacy, but Google actively works against all blockers (Addon policy etc.).

This comes with significant privacy/security disadvantages rather than only advantages.

At least there seem to be incentives to work on it? https://www.kicksecure.com/wiki/Sandbox-app-launcher

You're referring to a bunch of out-of-date content from madaidan who is no longer working on Whonix or Kicksecure. Most of his changes were reverted and removed, not only hardened_malloc.

argante

GrapheneOS RHEL and clones of it such as Rocky Linux have similar issues to Debian when it comes to incomplete backports though.

I completely agree. All corporations, including Microsoft, are struggling with this problem. They might not patch a vulnerability for months because it could break client-side compatibility. On the other hand, they strive to create increasingly complex solutions, thus only expanding the surface of possible attacks.

GrapheneOS Firefox has much worse privacy and security, and it would be dramatically harder to reach the same point obtained with minor changes to Chromium.

Firefox - this project has been destroyed.

The Mozilla Foundation was co-founded by Brendan Eich, the creator of JavaScript. During his tenure as CTO and CEO, Firefox experienced rapid growth. Of course, Chrome competed, but IE was the main loser here, while Firefox was less affected. Eich introduced numerous innovations. During his tenure, Mozilla pioneered the Rust language and planned to use Servo as the new engine for Firefox. Firefox was to be completely rebuilt from scratch – this time using a new, secure language developed by Mozilla. Eich was forced out of Mozilla (2014) because he was too conservative and not progressive enough (in the ideological sense). And so, the technical person was replaced with a white-collar job. Since then, Mozilla has been coming out with increasingly stupid projects. They got rid of Rust, abandoned Servo (Mozilla's employees layoff in August 2020), and Firefox development has stalled. However, this hasn't stopped the CEO from receiving a multi-million-dollar salary (Mitchell Baker: 2018: $2.46 million, 2020: >$3 million, 2021: >$5.5 million, 2022: >$6.9 million). Meanwhile, Firefox has ended up with a 2-3% market share (when Eich was still CEO, it was around 18%?). After leaving Mozilla, Eich co-founded Brave (2015), and that browser is doing much better than Firefox. Currently, Mozilla doesn't have the resources to rebuild Firefox, so as far as I'm concerned, the project is dead. Their latest idea for Mozilla was even a contradiction of the values that should have guided it: they changed the Terms of Use, which gave them the ability to sell user data. They withdrew from this after protests, but it shows what is in the minds of the people currently behind Firefox.

You can easily verify all the information I have provided yourself.

mushix99

GrapheneOS You cannot simply use these things to contain desktop applications. The applications need to be made to work within a sandbox. You're describing individual security features or controls rather than an app sandbox.

Not sure, if I understand your point here. In general an app sandbox should enforce restrictions to apps, not the other way round, relying on apps to support sandboxes.

Also I asked about using systemd hardening directives or bubblewrap as sandbox, not re-inventing the wheel and using single security features on their own. Are you saying, that systemd options and bubblewrap are not effective sandboxes for desktop and server apps?

I am including server use case here, as secureblue explicitly is promoted for servers and Debian, which Kicksecure is based on, makes a popular server OS. Note that above guide marks systemd as insecure, but those referenced links are nearly a decade old - any hints about its current security state are welcomed.

Thanks anyway for mentioning, that Kicksecure does not use kernel hardening config anymore and docs are outdated, wasn't aware of this.

GrapheneOS

wuseman The person who was working on the hardening for Whonix and Kicksecure for the kernel, hardened_malloc, MAC policies and everything else they were doing at one point is no longer part of the project. Most of their work was removed and isn't being worked on anymore. Secureblue is the successor to that and Whonix needs to be replaced rather than improved. The lead developer of Whonix heavily spreads misinformation about privacy/security. He's not trustworthy and neither is the project. It should be outright avoided based on these actions alone.

GrapheneOS

argante

There wouldn't be Ubuntu and other clones if it weren't for Debian.

None of these are good choices for privacy or security. Fedora, Arch, NixOS, Alpine, etc. are all much better options.

The problem with this discussion is when someone tries to present Kicksecure as a secure Linux distribution. Kicksecure is based on Debian, which isn't inherently security-focused. Furthermore, the decisions they make tend to increase risk, as users trust their marketing rather than whether something actually works. The abandonment of hardened_malloc is a perfect example of this.

Nearly all of the content on their wiki about hardening was from when madaidan was involved as a Whonix and Kicksecure developer. That's no longer the case and nearly all his work was abandoned. Most was removed or will end up removed.

Similarly, Google greatly benefits from Gentoo's legacy, as their entire package build system is (or was) based on Portage.

There's a lot less substance to this than people claim.

I really like Solar Designer's approach. He initiated the Openwall project and developed Owl, a secure distribution for servers. Years after Owl was discontinued, he still maintains packages for Rocky Linux that port Openwall projects (and also the hardened_malloc from GOS) to this Red Hat clone.

RHEL and clones of it such as Rocky Linux have similar issues to Debian when it comes to incomplete backports though. It's very similar to continuing to use an old Android release via the Android Security Bulletin backports such as still using Android 13, but for a much longer period of time. For the goal of securing RHEL or a RHEL clone while retaining compatibility for companies insisting on using it, it's a very sensible approach to starting on hardening it but it doesn't change the issues associated with using ancient software via RHEL, old Android releases, Debian, etc. Backports are increasingly incomplete over time and major privacy/security advances are missed. Projects prioritizing privacy and security are improving those substantially over time rather than just introducing more and more attack surface, bugs, etc. and not making progress on making things better via safer programming languages, sanitizers, fuzzing, other tools, sandboxing, more secure architectures, exploit protections and much more. Android gets very clearly more secure with each major release, even if most other projects do not generally do that such as the upstream Linux kernel.

crunched

GrapheneOS I am curious on what you would recommend instead of Whonix for accessing Tor? Would love to see a better project come to fill this space.

mushix99

mushix99 Are you saying, that systemd options and bubblewrap are not effective sandboxes for desktop and server apps?

... also assuming, kernel hardening - if possible - and proper app MAC policies (AppArmor, SELinux) are part of the sandbox.

GrapheneOS

mushix99

Also I asked about using systemd hardening directives or bubblewrap as sandbox, not re-inventing the wheel and using single security features on their own. Are you saying, that systemd options and bubblewrap are not effective sandboxes for desktop and server apps?

Those cannot sandbox desktop applications on their own rather than being tools used as part of an actual sandbox. The systemd hardening features are mostly requests for features which are not necessarily available and will not cause the service to not run when they can't be used for one reason or another. Only a few of the options are treated as mandatory. They're meant for enhancing uid/gid based isolation of services. Most will not work in a user session and most of those features will silently fail to do anything in that environment.

mrket

mushix99 In general an app sandbox should enforce restrictions to apps, not the other way round, relying on apps to support sandboxes.

To effectively sandbox an app while keeping it functional you need the app to know how to operate within a sandbox, and to have systems designed to allow apps to access what they need outside the sandbox in a secure way.

On desktop Linux some Flatpak apps use portals to access resources which are only available outside the sandbox, for example, but not all apps support portals and portals are still not able to provide access to every resource which apps may require (see for example how any Flatpak app which needs access to controllers has full access to /dev AFAIK).

If you just use bubblewrap or some other tool to sandbox a random app you will either have to figure out how to let it access portals if it even supports them (by exposing D-Bus to the sandbox, preferably using xdg-dbus-proxy, though some portals require more than just access to D-Bus), and/or allow it to access resources it needs outside the sandbox by specifying them before the app runs.

You will also need to handle things like filtering system calls with seccomp (not a trivial thing to do effectively even though bubblewrap can load seccomp filters); some programs like Chrome and OpenSSH restrict their own usage of system calls with seccomp.

ryrona

crunched I am curious on what you would recommend instead of Whonix for accessing Tor? Would love to see a better project come to fill this space.

Please note that the critique discussed in this thread has been against KickSecure, not Whonix.

Although Whonix is based on KickSecure, Whonix does implement many very strong protections and makes very much sense as a security and privacy focused project. Whonix runs the gateway and workstation in separate virtual machines, basically preventing all risks of the workstation being able to bypass Tor or fetch information that can deanonymize you such as which Tor guards you use, your public or local IP address, your MAC address or other hardware identifiers, and so on. Even in the case where the workstation has been completely compromised by an attacker. Whonix by design also encourages separating your anonymous activity from other activity, by only using Whonix for anonymous activity, thus encouraging the user to apply a kind of security domain isolation, which is a very good model of usage. You can even spin up a separate workstation for each use case.

KickSecure on the other hand is just a regular desktop Linux system, and does not implement any isolation that makes sense, and does not encourage the user to use it in a secure way. KickSecure is an improvement over Debian, but a rather mild improvement, whereas SecureBlue is a much bigger improvement. But for the use case of anonymous web browsing, Whonix is unrivaled and an excellent project. Only Tails comes close.

PrivateLoop

ryrona

Could Whonix's level of isolation also be achieved on GrapheneOS, along with using a separate device as a router? Such as https://github.com/radio24/TorBox?

Or maybe it's even better than Whonix, because it is isolated physically?

Just wondering

argante

ryrona Believe me, there are a lot of users and downstream projects that are auditing Debian.

I believe you! I'd be more at ease if they didn't do their security audits. This is just one example, but I should add that a Debian developer previously asked on the openssl list if he could remove those two useless lines of code :)

ryrona The biggest problem with Debian isn't in and of itself this, but that no noticeable security or privacy improvements have been implemented at all since like 2011.

The most interesting Debian-based distribution I remember was Adamantix. Unfortunately, the project didn't survive.

GrapheneOS

ryrona

Believe me, there are a lot of users and downstream projects that are auditing Debian.

Not nearly as much as you're implying and it doesn't work as well as you're implying either.

If the "anyone can submit packages to Debian" approach constituted a significant risk, we would have seen that by now.

It's a huge risk and severe vulnerabilities are regularly introduced by Debian packages. It often doesn't get much attention after it happens. We have some past posts about several cases of this happening. Updates are also often delayed far more than just based on freezing packages indefinitely. AOSP has issues with freezing packages too, but Debian is much worse at this than AOSP and Debian is what's being portrayed as doing better than it is here and elsewhere.

The biggest problem with Debian isn't in and of itself this, but that no noticeable security or privacy improvements have been implemented at all since like 2011. Debian has increasingly become obsolete as a project, and unsuitable to build security and privacy focused projects on. While Fedora for example has many running projects to improve security and privacy, projects that are delivering.

Fedora doesn't have modern exploit protections, widespread use of memory safe languages, etc. It's not enabling many standard Linux kernel exploit protections. They still haven't deployed stuff like CFI and are nowhere close to doing basic allocator hardening or advanced features like MTE. There's very little use of sandboxing and SELinux MAC policies are very basic and barely used to do anything, especially for a desktop. Debian is much worse but privacy and security are very stagnant for that ecosystem as a whole.

My point was that in AOSP all security vulnerabilities are disclosed 3-4 months before fixes are allowed to be published.

No, they're allowed to be published right away which we're doing. The source code released is delayed due to a misguided idea that it helps attackers more than it actually does. That being very misguided doesn't mean it is actually forced to be delayed for 3 months. Also, based on what we've seen so far, it's 3 months for most patches and then a steady stream of additions up to 1 month ahead so it's 1-3 months but mostly 3. There's also the time period before they fix and disclose them this way, so that can add 1 or more months on top of the widely disclosed patches to OEMs which are allowed to be shipped early now. The old approach was 1 month early access without being allowed to ship early, now it's mostly 3 months (but to a lesser extent 1-2 months for a smaller portion) but with OEMs allowed to ship as soon as they want. In practice, most OEMs aren't taking advantage of it, but we've noticed Samsung has been doing it throughout this year with a small portion of the patches which will likely grow. Pixel stock OS appears to be doing the same, but not listing the CVEs they fix early despite it being implied in their docs that it must be done. They definitely shipped at least 1 December 2025 patch in the Pixel October monthly update.

I have seen Debian having fixes out for high and critical severity vulnerabilities within 3 days of a vulnerability being discovered on many occasions.

They typically go years without shipping important patches unless a CVE is assigned, which it often isn't. If a CVE assigned, it might be shipped quickly but often isn't. They're also notorious for introducing downstream security vulnerabilities, far beyond the most well known examples like the Debian weak key issue.

I just wanted to say your statement is a bit unfair. I am not saying Debian has a good track record at all of getting fixes out, I very much know they don't. But AOSP is also terrible in this regard, and you know it.

GrapheneOS is not AOSP or the stock Pixel OS.

aqua-ghostly

TGOS

Besides from using Kali to pull documents off unencrypted windows PCs Secureblue is my first distro. I'm still somewhat handicapped when it comes to installing stuff but most of my work is done in browser anyway so that is not a problem.

DeletedUser499

If Kicksecure came in Gnome, I would use it in preference to Debian.
I use Fedora and Debian in equal measures. I can't decide which to stick with so I constantly swap from one to the other.
If I go to my online bank I use tails.
I use them, live from USB, without hard drives in my laptops. I get any problems, throw the USB in the bin, download and repeat.

Watermelon

I'm distrusting Kicksecure/Whonix based on just this:
https://www.kicksecure.com/wiki/Mobile_Operating_System_Comparison#GrapheneOS

Edit: And the lead developer said somewhere (I think in a GitHub issue, but not sure) that he only knows scripting, and isn't a programmer. What kind of lead developer of a software project wouldn't know programming? It's bad to trust them to deliver a secure product.

user539

And after all of this endless debate.. What should a man choose as a linux daily drive, silver blue?

Eirikr70

user539 I suppose SecureBlue if you are a security addict, but it comes with severe inconveniences.

user539

Eirikr70 what are those?

KCne

Eirikr70 I suppose SecureBlue if you are a security addict,

secureblue is not intended for security maximalists, their website says

secureblue is for those whose first priority is using Linux, and second priority is security. secureblue does not claim to be the most secure option available on the desktop. We are limited in that regard by the current state of desktop Linux standardization, tooling, and upstream security development. What we aim for instead is to be the most secure option for those who already intend to use Linux. As such, if security is your first priority, secureblue may not be the best option for you.

@GrapheneOS has made clear Linux's unideal security state, especially in this thread. There are already plenty of other threads in this forum discussing OSs that maximize privacy and security, and I have expressed my belief that GrapheneOS itself does a solid job.

GrapheneOS qualifies as a Linux distro, but it is far more private and secure than traditional distros or MacOS. Once Android QPR1 releases for GrapheneOS and there are improvements to Desktop Mode, I believe that will be ideal in privacy and security for many desktop needs

Eirikr70

user539 I don't remember much, but I can recall two of them

you cannot be root in the same session as a standard user,
you can use only half of your processing power.

I suppose that others can give you more precise answers.

« Previous Page Next Page »