What is your desktop OS?

n3t_admin

Alvyn I don't know why you would degrade your personal security so badly because of a politician you don't like (who isn't even having any direct effects on you due to being in a different country). But to each their own I guess.

Alvyn

n3t_admin yop, everyone has own values :-)

ZoraIsHere

Mine is fedora. The reason is I didn't want to spent to many time choosing a distro. Fedora looked feasible as its backed by RedHat, has regular updates and an easy going UI

Uphill1945

Alvyn most banking apps work and what's wrong with a bank card? U can use those for tap to pay as well. And you could for a lot of banks also put a funky design on it for funs!

And yeah! Good on you for switching away from IPhone!

Sigismund

A hardened Gentoo and Arch Linux systems. I didn't not see a point to using a system that someone else's "configured" for me and said it is secure..

NetRunner88

Sigismund
So you do not use GrapheneOS neither

Sigismund

NetRunner88 Not sure what to tell you other than,don't pull a strawman argument on me,won't work.

catp96

Fedora Kinoite on the desktop and Fedora Silverblue on my laptop (same thing but desktop runs KDE and the laptop runs GNOME). I'd recommend the Universal Blue images (Bazzite, Aurora, or Bluefin) if you don't want to set it up manually to be honest.

Pixelated

EndeavourOS on a libreboot ThinkPad T490. I may switch to Artix OpenRC though.

n3t_admin

Sigismund Linux comes last in terms of security of all major 3 desktop OSes.

macOS -> Windows -> Linux. Linux has basically no sandboxing and very little measures to prevent IPC and programs accessing files they shouldn't. Hardware security is basically nonexistent too, mainly due to compatibility goals. No one "said" the other systems are more secure - they just are.

Sigismund

n3t_admin how much of what you just said here is backed by your own testing and evaluation of options given in various Linux systems? Because you seem to be thinking that it's all the same everywhere, whereas you can say Linux like it would be just one system. Unlike Mac and Win, you have plenty of options to configure the system to be as secure as you want it to be. Not compromising on usability, unlike the other two you mentioned.

You should try it.

Linux

n3t_admin Linux has basically no sandboxing and very little measures to prevent IPC and programs accessing files they shouldn't.

Have you ever heard of Flatpack?

ubersecure

NinjaShark Qubes is not secure at all against an advanced adversary. No hardware protection, it only help against software attacks.

KCne

Sigismund Unlike Mac and Win, you have plenty of options to configure the system to be as secure as you want it to be

https://privsec.dev/posts/linux/linux-insecurities/

There is a common claim in response to Madaidan that Linux is only insecure by default, and that an experienced user can make it the most secure operating system out there, surpassing the likes of macOS or ChromeOS. Unfortunately, this is wishful thinking. There is no amount of hardening that one can reasonably apply as a user to shore up the inherent issues with Linux.

ubersecure Qubes is not secure at all against an advanced adversary

QubesOS definitely has its areas where it could use improvement, although GrapheneOS has previously recommended QubesOS

https://xcancel.com/GrapheneOS/status/1964443800182632666#m

n3t_admin

KCne thank you, saves me time on researching sources. The only people who claim Linux can be hardened as much as any other OS clearly have no understanding of the architecture behind Linux.

Sigismund

KCne
@n3t_admin

You both proved my point. I asked if this comes from your own experience, yet all you did was to regurgitate someone else.. Yeah I know it's privsec and it's on the internet so it must be true..

By all means use whatever someone told you is more secure. If you can't think for yourself you need all the handholding you can get.

WestQuester

One can find information out there to support their position, regardless of what it is. Biases abound as does confirmation bias. But as a counterpoint, this thread was dedicated to rebuffing that article on Linux being insecure:
https://www.linux.org/threads/is-linux-a-secure-operating-system.51579/

TheGodfather

WestQuester But as a counterpoint, this thread was dedicated to rebuffing that article on Linux being insecure:
https://www.linux.org/threads/is-linux-a-secure-operating-system.51579/

That link is terrible. It's obvious that most people who responded there have no clue about security whatsoever.

n3t_admin

Linux https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life-security-issues-beyond-ideal

Yes, I have.

NetRunner88

n3t_admin
At some point the dev behind secureblue has a good approach to handle flatpack permissions garbage

Linux

n3t_admin Linux https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life-security-issues-beyond-ideal

Yes, I have.

"Yet, many Flatpak packages declare broad permissions like filesystem=home, filesystem=host, or device=all. That effectively grants full read-write access to the user's home directory or even system devices, defeating the purpose of the sandbox in practice. Users often assume that 'sandboxed' means locked-down, but blanket permissions expose them to risk."

Flathub will explivitly warns users about such a permission and marks the app as unsafe for using it.
Users can just remove these permission with Flatseal before running the app
In the long term this will get replaced with Portals and one day, permissions like filesystem=home, filesystem=host
Will get viewed as unacceptable for most application and apps using these will just get ignored or even moved out of Flathub. Put I think its more important to push apps to transition from X11 to Wayland because unlike with the filesystem=home the user can't just make a few GUI clicks or run a command to port every application to Wayland.

"
Real-World Breakouts from the Sandbox
CVE‑2024‑32462: RequestBackground Portal Abuse

Security researcher Gergo Koteles uncovered a high-severity vulnerability where malicious Flatpak apps could craft a .desktop file via the org.freedesktop.portal.Background.RequestBackground interface. That tricked Flatpak’s --command= parsing into injecting bwrap arguments (e.g. --bind). This allowed arbitrary host commands to execute outside the sandbox boundary. Versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8 were affected. Patched in the listed versions and mitigated in xdg-desktop-portal 1.18.4 and newer.
CVE‑2024‑42472: Persistent Data Symlink Exploit

A Flatpak flag, --persist (or persistent= in manifest), allows apps writable storage within their data directory. But if a malicious install replaces that directory with a symlink pointing to sensitive host folders (e.g. ~/.ssh), the sandbox mount entry follows it into the real filesystem, giving the app unintended access to files outside its name-spaced area. All versions up to 1.14.8 and 1.15.x ≤ 1.15.9 are vulnerable; patched in 1.14.10 and 1.15.10+.
"

These are bugs and there where patched.

NetRunner88 At some point the dev behind secureblue has a good approach to handle flatpack permissions garbage

What would/does this approach look like?

p-marg

Linux

https://secureblue.dev/articles/flatpak

https://github.com/secureblue/secureblue/issues/193#issuecomment-1953323680

https://secureblue.dev/faq#appimage

p-marg

overpass I use https://secureblue.dev

« Previous Page Next Page »