What is your desktop OS?

KCne

Eirikr70 But Linux is the operating system of the vast majority of the corporate servers.

https://privsec.dev/posts/linux/linux-insecurities/#why-is-linux-used-on-servers-if-it-is-so-insecure

On servers, while most of the problems referenced in the article still exist, they are somewhat less problematic.

On Desktop Linux, GUI applications run under your user, and thus have access to all of your files in /home. This is in contrast to how system daemons typically run on servers, where they have their own group and user. For example, NGINX will run under nginx:nginx on Red Hat distributions, or www-data:www-data on Debian based ones. Discretionary Access Control does help with filesystem access control for server processes, but is useless for desktop applications.

Another thing to keep in mind is that Mandatory Access Control is also somewhat effective on servers, as commonly run system daemons are confined. In contrast, on desktop, there is virtually no AppArmor profile to confine even regularly used apps like Chrome or Firefox, let alone less common ones. On SELinux systems, these apps run in the UNCONFINED SELinux domain.

Linux servers are lighter than Desktop Linux systems by orders of magnitude, without hundreds of packages and dozens of system daemons running like X11, audio servers, printing stack, and so on. Thus, the attack surface is much smaller.

argante I'll defend Linux. Blaming Linux is a bit like a chef trying to make a pizza. He has the ingredients: flour, yeast, etc. Let's say Linux is our flour. The pizza failed, everyone complains it's inedible. And what does the chef say? He'll claim it's not his fault... it's the flour's fault, because he won't admit he messed up.

In the case of OSs like GrapheneOS, they do everything they can to make the pizza nice and healthy. The pizza is still objectively limited because the flour has been demonstrated to be unhealthy. That’s why GrapheneOS is trying to move away from that type of flour

Eirikr70

KCne Thanks !

argante

KCne That’s why GrapheneOS is trying to move away from that type of flour

Move away, but where? To MINIX, seL4, Redox? Google has long been trying to build a solution based on good isolation. They invested in porting Capsicum from FreeBSD to Linux. This project was rejected. Later, they planned Zircon, which was the basis for Fuchsia. The first release was in 2016, and there was much talk of replacing Linux in Android. Almost a decade has passed, and what? Nothing. We're still using Linux. That's the reality. Of course, we can wait another decade, but today and tomorrow we will probably stay with Linux.

KCne

I wouldn't be able to continue this discussion without going even more off topic, so I'm making another topic

argante Move away, but where? To MINIX, seL4, Redox?

This post from @final has some points that may be of interest to you:

Two new innovations I like to bring up time and time again:
https://xous.dev/
https://www.redox-os.org/

argante Almost a decade has passed, and what? Nothing. We're still using Linux

Our roadmap page was updated to reflect our approach better.

The initial phase for the long-term roadmap of moving away from the current foundation will be to deploy and integrate pKVM and CrosVM, reinforcing existing security boundaries. The Android Open Source Project has been making significant progress on this front, so our next milestone is to securely deploy Android apps using this virtualization setup.

You'll be able to see a lot of this progress after Android QPR1 releases on GrapheneOS

txco

SecureBlue on two machines for programming and other fun computing tasks. Locked down MacOS on an M3 for anything requiring an account login.

Eirikr70

gta3 Any1 saying otherwise is a corporate shill.

I'm not a native english speaker and I don't understand that sentence, but I can understand that the argument is quite weak ;)

Graphite1

Tried kicksecure - only gives me 800*600 resolution on a 4k monitor.
Linux mint no issues. Even Qubes works properly.

Testing distros to migrate from windows. Know nothing about linux so probably will use Mint as a starter to learn the ecosystem.

Eirikr70

Graphite1 Try Fedora KDE, or Kinoite.

gta3

Graphite1 Linux mint is a good start, or Ubuntu

If u jump in too much at the deepend like arch etc, u will likely be discouraged

Once ur good with mint or ubuntu, help ur friends / family move from windows, that's rewarding

WestQuester

BuffaloStance

That linked page was what I was referring to when I said people can find things online to support their biases, no matter what they are. Regarding the "Sources". If you actually read them...

The Daniel Micay one really says nothing about Linux.
The Twitter one says nothing about Linux.
The other Twitter one is a dead link.
The PDF presentation says that Linux security is important because so much infrastructure runs on it.
The notes says Linux contributors should care more about security (always the case, yes)
Two more are links to Twitter posts about caring about security
One is a video panel discussion on improving security

There is one linked forum post that supports the article's opinion. The other links are garbage. So don't be fooled by the appearance of supporting information.

Linux is secure. Could it be more secure? Yes. Is it the most secure? I don't know. It wouldn't surprise me to find that Mac OS is more secure. But I believe Linux is secure enough and is used by many who care about security. It is definitely used by those who care about privacy.

So my advice to people is don't stress over which operating system is the most secure. The mainstream ones (including "mainstream" Linux) are secure enough. You're not going to get hacked or compromised any more if you run Linux than you would with Mac OS or Windows. Linux users are not more vulnerable. What would be more of a discriminator would be privacy and Linux wins every time there.

KCne

WestQuester Linux users are not more vulnerable. What would be more of a discriminator would be privacy and Linux wins every time there.

A GrapheneOS Twitter thread:

Traditional Linux distributions have poor privacy and security. They lack proper app sandboxing and other app privacy/security, lack isolation throughout the OS, are nearly all memory unsafe languages and lack modern exploit protections

Privacy involves much more including privacy from services, sandboxed applications, etc. macOS would win in many areas other than privacy from OS vendor [compared to Linux distros like Fedora]

A small amount of uninvasive telemetry isn't the catastrophe people make it out to be and LOTS of open source software including Firefox has similar telemetry to macOS. You aren't avoiding all telemetry, etc. by using open source software, and it's a tiny aspect of privacy

RoyalOughtness, the lead developer of the Linux OS secureblue:

Then there’s the question of if you were to configure Windows/MacOS/Linux to be as secure as possible without fundamentally rearchitecting core system components, which would be the most secure? And for that, Linux unfortunately isn’t in the running.

0-days are one of many many concerns… Desktop linux has fundamental architectural gaps.

Security needs to be proactive and in-depth. It’s this depth of proactive security that’s lacking on linux, as opposed to timeliness in fixing zero days (although that’s of course still important).

23Sha-ger

A Macbook Air running MacOS with all Apple's domains and ASN (All IPs) blocked at router level. there are no "leaks" or telementry. No Apple ID and that crap, you dont need it on a Mac. Apple doesnt really hide its telemetry like Microsoft. Best eco-system. Just dont forget spctl off.
Was a Gentoo user, Arch user. Since using Debian on servers. Desktop? My sweet Apple with all Tim Cook's books off.

KCne

23Sha-ger A Macbook Air running MacOS with all Apple's domains and ASN (All IPs) blocked at router level. there are no "leaks" or telementry.

Blocking domains from an OS vendor to achieve privacy from them is badness enumeration. You’d still have to connect to Apple’s servers to get updates, for example

Alvyn

23Sha-ger but this is again security compromise. You can run mac without apple id, but you cannot install apps from the appstore which has best sandbox. You can install apps from web or homebrew but this has less security.
To have max security on Mac = apps only from app store.

Eirikr70

gta3 Once ur good with mint or ubuntu, help ur friends / family move from windows, that's rewarding

Or not ... Hard to have them make the switch. Even when they have tried Linux and admit that the difference is quite thin as a user. Always that fear of doing things differently!

gta3

Zerodays effect all OS(yes fanboys, windows included)

Considering windows has a MUCH larger userbase, the incentive for finding vulnerabilities in windows is MUCH larger.

Linux is more secure, its more privacy oriented, less invasive, and FREE.

Windows is paid spyware trash

mmmm

argante not here to argue your point, rather your analogy. Yes, the wrong flour will indeed cause problems. You can 'fix' it, but you're better off just using the right flour.

n3t_admin

KCne not to be that guy, but...

and ASN (All IPs)

is not badness enumeration anymore.

KCne

Sigismund You just parrot whatever found on the internet because XYZ said so.

PrivSec is run by people who have made significant and noticeable contributions to security, for example @akc3n who does stuff at GrapheneOS. The Linux OS secureblue has made notable contributions as well, and they don’t deny that Flatpak has its issues. They are credible sources. Likewise, if you could show or prove any contributions to security that you’ve made, I’d be more inclined to believe your points.

n3t_admin not to be that guy, but...

Thanks for correcting me! As long as it’s respectful and not condescending, I’m all for it! :)

Eirikr70

How might that question of the desktop OS evolve when the Android desktop mode will be mature?

Scott

Eirikr70 How might that question of the desktop OS evolve when the Android desktop mode will be mature?

I wonder if Android will ever be usable on the desktop. At the moment, it is completely unusable as a desktop OS. But I am also excited to see progress.

kopolee11

Eirikr70

This could lead to GrapheneOS being a much more useable option for desktop usage, including potentially being available for specific laptops. This would undoubtedly be the most secure and private option for desktop use, compared to the status quo where there are pros and cons for many options and all are less secure and private than mobile.

Eirikr70

kopolee11 So we could use for instance LibreOffice apps on GrapheneOS on a lapdock?...

« Previous Page Next Page »