Perspectives of Security, and how to tell that a system is secure [writeup]

ryrona

I have heard many statements with regard to security, that are simply so odd and misinformed to me. Some say iPhones running iOS are the second most secure phones after Google Pixel phones running GrapheneOS. That couldn't be further from the truth. iPhones are literally there, at the rock bottom, among the phones absolutely unfit for security, together with most phones running stock Android. Some say Linux is the desktop OS with the worst security, way worse than MacOS, even worse than Windows. That couldn't be more wrong. The only desktop OS that is more secure than Linux is QubesOS, but Linux is also an excellent choice. If you pick Windows or MacOS, down you will go.

I don't know how this happened. Maybe people are blinded by all the details, all the security features that exists and all the security features that are missing, that people don't see the full picture. Or maybe it is just because I actually have a practical need for security, as a member of a heavily oppressed minority, that I have been forced to look at the full picture from the very beginning, out of necessity to avoid getting physically attacked, doxxed or wrongfully arrested. Either way, I feel like I need to write this writeup, to give my perspective to security, in a constructive manner, in the hope that people will realize my view of security and my threat model is also very much a valid one, and why I defend Linux so much, why I defended Pinephone, and why I wouldn't touch anything Apple, Google or Microsoft even with a stick.

15 years ago, I learned the concept of canaries. A canary is a song bird that in past times where used in coal mines. If toxic gas was mined into, the bird would be the first one to die, and it becoming quiet in the mine, no more bird song, would alert all the miners to evacuate. This concept of a canary was adapted by the security and privacy community. The idea was simple, point out someone who is using the same technology and setup as you, but that is likely to be the first one to fall if the security and privacy of the system would fail. I realized, the people who watch, download and spread child pornography on the web are our canaries. If the security in a system would fail, they are the first ones to disappear. Many would get arrested, the rest would flee in panic. Same with people who make or deal with illegal firearms and drugs, they come as a close second after the people who deal with child pornography, being the next to be arrested or flee. The idea was simple, on a forum, find two or three people you know are downloading and sharing child pornography, but that are relying on the same technology as you, and keep watching them every now and then to see if they are still there. If not, time to pack your things and leave.

Nothing of this was to endorse illegal activity in any way, certainly not with children as victims. The idea was simply that people who do serious illegal activity, especially with children as victims, are always targetted by law enforcement agencies as well as vigilanties to such an extent that they are the first that will end up in trouble if the security or privacy of the technology fails. And the idea was also that you wouldn't have to read any code or be any kind of expert in security; if they are there, the system is likely waaay good enough to protect you too.

It turns out though, that keeping an eye on people doing such activity is pretty hard without getting exposed to that activity yourself, at least to some extent. So it isn't a very practical way after all. After a few years I abandoned this method, and came up with my own. Let's instead pretend I am one of them. Let's pretend I have lots of child porn on my phone, on my computer, and on my external disks and USB sticks. Let's pretend that I am sharing child porn with the people I communicate with. Of course I don't actually have any illegal or unethical content on any device, that would very much go against everything I stand for, but I can for the purpose of evaluating the security pretend I do. Because now I can for real evaluate if the system I am using really is secure and private enough to protect me. With a pretty good margin too, since I would never actually do such things nor be that interesting of a target.

Now hopefully it is far more clear why iPhones are among the absolutely worst choices for security out there. There have been plenty of news articles about people who have gotten reported to the police, by Apple, over things that aren't even child porn but innocent child nudity they have had on their iPhones. Apple used to scan all data connected to their built-in iCloud service, in a way obviously hostile toward their users' security. Now hopefully it is also far more clear why Windows is way way worse than Linux. They also scan files on your device, and you cannot even reliably disable the scanning anymore. I heard people sharing child porn stopped using Windows after Windows 7, it was the last secure version of Windows. Suddenly Linux device, even Pinephone for that matter, does not really seem like such a bad choice anymore. Not F-Droid either. Because they don't scan, log or leak your activity or files, at the very least not intentionally. Open source software seem to have a very strong resistance towards becoming hostile to their users, they tend to stay friendly.

That doesn't mean we shouldn't improve security and privacy features. We absolutely should, but we have to stay aware of how to actually evaluate whether a system is secure, such as with the canary method I described here, and stop claiming heavily insecure systems are secure, just because they have bleeding edge security features, and stop bashing perfectly safe system, just because they don't even have a basic app sandbox.

In the end, what system is it that will actually protect you, or fail you. If you cannot even protect someone engaging in criminal activity, how would you protect whistleblowers like Edward Snowden? If you cannot even protect someone engaging in criminal activity, how are you supposed to protect us who belong to minorities that are followed and oppressed by half of the society.

DeletedUser88

ryrona Some say iPhones running iOS are the second most secure phones after Google Pixel phones running GrapheneOS.

In terms of security, that is true. This is also a stance shared by the GrapheneOS project who are experts in this field.

ryrona Some say Linux is the desktop OS with the worst security, way worse than MacOS, even worse than Windows. That couldn't be more wrong.

Linux is more private than macOS and Windows when you look at privacy from the OS vendor. Linux does not send telemtry, index your searches or any other privacy-invasive functionality embedded in macOS and Windows. Linux is verifiably more insecure than macOS and Windows. The entire Desktop OS ecosystem is insecure but Linux is the worst. You're concerned about the privacy of the OS but not the security of it.

ryrona There have been plenty of news articles about people who have gotten reported to the police, by Apple, over things that aren't even child porn but innocent child nudity they have had on their iPhones.

It's quite probable that if you upload your data to an unencrypted cloud service then the photos will be scanned and moderated. If you don't want your photos to be accessed by Apple then either don't upload them to their cloud or use Apple's Advanced Data Protection. People getting caught doing bad things have bad OPSEC if anything. Use encryption whenever you can and you'll be okay, even if you are not doing anything wrong.

No one is arguing that Apple isn't privacy-invasive though, just that their hardware and software is secure compared to other mainstream options.

Apple used to scan all data connected to their built-in iCloud service, in a way obviously hostile toward their users' security.

Previously, if you were concerned about the privacy of your data then you would not upload it to iCloud at all as it was unencrypted. With Advanced Data Protection, this is no longer the case (The metadata isn't encrypted though). Apple also did not implement the CSAM-scanning feature it wanted to implement a few years back due to backlash.

GrouchyGrape

ryrona I'm not going to pretend to be an expert but it sounds as if you're conflating security with privacy.

privacyisconsent

ryrona I have tried to read and understand your perspective and written some thoughts below. However, it is very important to stress that projects like GrapheneOS do not exist to make criminal activity easier or more effective. I know your point about canaries is just part of your overall argument, but it is important you don't associate robust and well-implemented systems with enabling crime. Projects like GrapheneOS exist to give individuals more freedom from oppression, undue interference and surveillance of any kind. Maybe it would be helpful to think of good systems as systems that should primarily prevent crimes and abuses against you the owner.

ryrona I have heard many statements with regard to security, that are simply so odd and misinformed to me. Some say iPhones running iOS are the second most secure phones after Google Pixel phones running GrapheneOS. That couldn't be further from the truth. iPhones are literally there, at the rock bottom, among the phones absolutely unfit for security, together with most phones running stock Android. Some say Linux is the desktop OS with the worst security, way worse than MacOS, even worse than Windows. That couldn't be more wrong. The only desktop OS that is more secure than Linux is QubesOS, but Linux is also an excellent choice. If you pick Windows or MacOS, down you will go.

When people talk about security they are usually talking about widely understood things like:

If my device is taken (while off OR while in use) how much sensitive data is available to the person taking it?
If my app has a vulnerability how easy is it for an attacker to gain privilege and sensitive data from my OS?
If a publicly exposed network interface on my device has a vulnerability, how easy is it to use that to attack the OS?
If an app I am using is malicious/malware, how much sensitive data and data of other apps can it further access?
If any of those bad things happen to/on my device/OS how can I confidently remove or stop the bad things?

ryrona Now hopefully it is far more clear why iPhones are among the absolutely worst choices for security out there.

I think your misunderstanding and confusion is caused by a difference in perceived threats and threat actors.

Most of the time the organisations you are referring to like large corporations, law enforcement and intelligence agencies are known, trusted or ignored. People will normally give more weight and importance to protection from unknown entities who want to explicitly harm them like trolls and spammers, thieves, stalkers/harassers, fraudsters, scammers, malware authors and extortionists and so on.

Known or unknown parties should be treated equally and where that is not possible unknown parties should be prioritised. This is what I believe good systems like GrapheneOS try to achieve. What you describe with systems like traditional desktop Linux (with considerable contributions from Google, Microsoft and co.) distributions, QubesOS, PinePhone, F-Droid are also just a different set of known parties. But you have judged personally that their interests do not conflict with yours, so you forgive their oversights and inadequacies even though most do far less to protect you from both known and unknown parties.

raccoondad

ryrona

I am an active activist for a certain socially disliked group of people, no reason to go into detail here, but heres my take:

"The only desktop OS that is more secure than Linux is QubesOS, but Linux is also an excellent choice"

QubesOS is Linux, it uses fedoras installer. The kernel is Linux, it uses XFCE for its WM.

"Let's pretend I have lots of CSEM on my phone, on my computer, and on my external disks and USB sticks....Now hopefully it is far more clear why iPhones are among the absolutely worst choices for security out there"

No, I don't understand why I would want to use a pinephone over an Apple device for day to day threat models.

" Apple used to scan all data connected to their built-in iCloud service"

iCloud is not an apple device, its a service. It can be disabled

"Not F-Droid either. Because they don't scan, log or leak your activity or files, at the very least not intentionally. "

I don't think F-Droid has access to this information anyways

"and stop claiming heavily insecure systems are secure"

You only claim Apple devices are insecure because of aspects that aren't related to Apple devices, you also use the threat model of a person offending with CSEM, making them a LE threat model, which isn't most people.

"stop bashing perfectly safe system, just because they don't even have a basic app sandbox."

But pinephone...isn't safe? If your threat model is day to day attacks that actually do effect normal people, it would be a terrible choice.

"how would you protect whistleblowers like Edward Snowden?", Edward would not use Icloud...

I'm not worried about Tim Cook himself coming out and yelling my social security next press conference, I am worried about a PDF file exploiting a security vulnerability allowing for remote code execution and the implications of that.

Being aware of what your device is doing is important in terms of 'phoning home', but recommending insecure systems simply because they don't is just...not how cybersecurity works.

ryrona

GrouchyGrape I'm not going to pretend to be an expert but it sounds as if you're conflating security with privacy.

Yes, I am, intentionally. Because lack of privacy is a practical security threat, a threat to personal security. That was a little bit the point I was trying to make.

Many say one cannot have privacy without security. But I was kind of trying to argue you also cannot have security without privacy. Not when it really matters at least.

raccoondad QubesOS is Linux, it uses fedoras installer. The kernel is Linux, it uses XFCE for its WM.

Technically, the security is provided by Xen, not Linux. The hypervisor is Xen. Linux kernels and OS stacks are only run inside virtual machines, which are solely contained within a specific security boundary. But that wasn't my point of the distinction, just that QubesOS do not implement the heavily outdated Linux security model.

raccoondad iCloud is not an apple device, its a service. It can be disabled

Still not secure by default. It is not obvious how one disable it either. Disabling the cloud syncing is not enough, since it gets silently re-enabled in certain circumstances, such as for example if your update your account details.

raccoondad you also use the threat model of a person offending with CSEM, making them a LE threat model, which isn't most people.

I thought the whole purpose of designing a secure system is to have an as powerful threat actor as possible, and to protect against that one. So I don't think the threat actor being law enforcement is a poor choice.

One can argue that we should put the security level exactly so there isn't usable security for people doing criminal things, yet are able to protect everyone who are law abiding. But not all laws in all countries are reasonable, sometimes one need to fight back. You should know this, as an activist for our group. And even if the laws were reasonable, I don't see that finding such a sweet spot of security is possible.

Ideally, there would be no groups of people in society that are systematically oppressed, hated and legally harassed and so on. If we can reach such an utopian future, with I think both of us really wish for, at that point, everyday people don't really need that level of security anymore, and at that point we certainly can "compromise" the security in all our systems enough that catching criminals is easy. In such a future we can have both, a world free from discrimination and oppression, and a world free from criminality. But the world does not look like that today. Although things like client side scanning can spell the end to criminality, it equally will spell the end to many of us who are oppressed and hated by society today. It certainly will silence us. This is why we need systems like GrapheneOS.

raccoondad "how would you protect whistleblowers like Edward Snowden?", Edward would not use Icloud...

Hopefully he wouldn't use anything Apple at all. Which is the point I am trying to make.

raccoondad Being aware of what your device is doing is important in terms of 'phoning home', but recommending insecure systems simply because they don't is just...not how cybersecurity works.

No, maybe not. But a perfectly secure system that is phoning home isn't secure to use in practice. I wanted to shift the focus out a little bit from the theoretical security level a system gives, to what is actually usable by the people who really really need security in practice.

raccoondad I am an active activist for a certain socially disliked group of people, no reason to go into detail here

Well, we belong to the same group, and the same side of that group too. So you also know there are unreasonable laws against us, in many otherwise reasonable countries. And you should also realize that things like client side scanning can be and eventually will be used against us too, if it becomes a reality. Yes, we should change the laws, but we are a minority, and have to rely on a high security level to even make our voices heard. You should also know many gets disproportionally punished for breaking laws that at least we on our side believe should exist too. You certainly know someone that has. I do.

Upstate1618 Well, I don't agree with you.

Which is fine of course. I only wanted to give my perspective, in the hope of bringing a wider understanding of the topic of security. Another perspective to it.

Upstate1618

Well, I don't agree with you.

GrouchyGrape

ryrona I was kind of trying to argue you also cannot have security without privacy.

This isn't true, though. Security (in this setting) is denying access to unauthorized users. When you agree to Apple's terms and conditions (and privacy policy) when using their products, they become an authorized user. This comes with privacy tradeoffs, but it's still a comparatively secure system.

I understand where you're going with your argument, but it's very important to understand the difference between security and privacy. Sure, it's difficult for us users to have one without the other, but that doesn't make them one in the same.

DeletedUser95

One thing that's been particularly frustrating to me is on a technical level how insecure Linux is. Everywhere I read it's always "Open source this! Privacy that!" when that doesn't contribute much to actual security. I do think Open Source is better in general as do I having no telemetry operating systems but I do not think it makes sense to wave it around as a flag of "I'm secure!" At all.

I use Linux because I'm tired of Windows I really am. I am tired of all the telemetry and all the stupid anti user stuff. But I by no means think I am using a Operating System more secure than it. At best I got a advantage of not being on the most popular and targeted Operating System but that doesn't mean anything for actual security and Linux still does get targeted pretty easily.

As matter of fact I've been hoping it would improve but I have yet to see any actual good improvements. The only one seeming to have potential as a base is fedora and even then the security is nothing to write home about. And yet we might see major improvements by what 2028??? Absolutely absurd. Genuinely I'm okay with the slow approach to avoid breakage but linux is quite problematic in this regard as not only is it slower than the others but it's fragmented between so many different flavors and if all flavors don't adopt a more secure approach (which they likely won't) then who is to say the developers will change their software to adapt and work with the new security? After all if it only breaks on the few distros trying to actually make security improvements then there is no problem. Right? Right?? Seriously Linux Security is abysmal and it likely won't get better either. Well maybe if Ubuntu and Fedora both drastically improve it might but even still I think that's very slim.

At best what I think is we could get something like Qubes but a bit lighter on the security as to not cause as much breakage. But even then the other security issues remain.

Truth is the Computer situation sucks and the only reason why mobile doesn't suck is all because of GrapheneOS and mobile devices (privacy issues aside) just naturally following better security practices by default.. If we didn't have that honestly it wouldn't be much better than the Computer situation we'd have today.

I would love to be proven wrong about Linux security not getting better though. Genuinely I would! I want to have hope for this system but I just don't right now.

In the end though. I learned that I did in fact prefer the privacy over the security. Which while people say you can't have one without the other this isn't inherently true with either. It depends on threat models and what you are trying to protect or defend against really whether you require both or not.

In my case I would prefer to have both! Which I am fairly confident I do have both on my phone. But on my Personal Computer? Absolutely not I do not get a feeling of good security at all.

raccoondad

DeletedUser95 another thing to mention is sellinux, which is a huge aspect of Linux security, is horrible to use. I genuinely don't think I have ever touched it in my life.