What is more secure: Securblue or MacOS?

goskm75f

Title.

argante

goskm75f The security level is quite comparable. In general, MacOS is more secure than Linux. Applications are well isolated, which is still not well developed in Linux. Secureblue improves many things vs typical Linux distributions. Similarly, iOS is (?)a bit more secure(?) than GOS, but GOS is more secure than iOS in terms of unlocking capabilities. I would definitely choose Secureblue and GOS vs MacOS and iOS. Of course, it is important to remember that security is not privacy, because many people think that MacOS/iOS is not secure because it does not provide privacy. And a key note: security very much depends on the user - if he does stupid things, it does not matter how secure the OS gets.

rabcor

I don't know what Securblue is, but I know what MacOS is. And MacOS isn't particularly secure at all in any of the several things that word refers to. Apple is about as aggressive about spying on it's users as google (remember the cloud leaks? bad security, bad privacy), and Apple's stance on malware has always been to bury their heads in the sand and pretend their operating systems are invulnerable to it, while selling people on the lie that their operating systems are invulnerable to malware.

So I don't know what Securblue is, but I am sure it's more secure than MacOS, even Windows might be more secure than MacOS.

dhhdjbd

argante i think you mean the ios kernel

GrapheneOS GrapheneOS is easily the most private and secure general purpose smartphone OS. The competition is iOS, none of these products. It's certainly more secure than everything you've listed here. iOS and AOSP are far more secure than any traditional desktop operating systems. We would simply say GrapheneOS is more secure than iOS in lockdown mode when looking at the whole picture despite iOS having a more secure base for the kernel for now. iOS has a lot of merits, but these things don't.

freebsd-user

argante GrapheneOS doesn't let you do stupid things

Linux

argante Applications are well isolated, which is still not well developed in Linux.

Flatpak and easy tooling for it like Flatseal is out since years so what do you mean with "its not well developed" ?

Bimmy I remember having heard some rumours about a google project for desktop/laptop with android.

Do you mean ChromeOS?

Eumenia https://www.msn.com/en-us/technology/software/one-man-s-apple-account-got-locked-after-he-bought-a-compromised-gift-card-losing-him-20-years-of-digital-life/ar-AA1SoeOB

"With software there are two possibilities, either the user controls the program or the program controls the users."
Richard Stallman

argante

dhhdjbd i think you mean the ios kernel

I mean MacOS and iOS. Apple has its own processor, security chip, hardware, compiler, languages, operating system and browser. They can much more easily implement security solutions like MTE, application isolation, etc. Meanwhile, in Linux distros, you usually have a kernel, collection of software plus hundreds of patches and it all somehow sticks together.

ngie

argante

I'm going to be a bit of a pedant here: the macOS distribution (code-name "Darwin") combines a lot of third-party software, much like Android does. macOS bundles and distributes a lot third-party software from FreeBSD, LLVM, NetBSD, perl, python, ruby, etc, just to name a few components.
Linux is a kernel; GNU/Linux and Android (for example) are OS distributions.

Eumenia

argante Apple has its own processor, security chip, hardware, compiler, languages, operating system and browser.

argante Apple has its own processor, security chip, hardware, compiler, languages, operating system and browser. They can much more easily implement security solutions like MTE, application isolation, etc. Meanwhile, in Linux distros, you usually have a kernel, collection of software plus hundreds of patches and it all somehow sticks together.

Can you elaborate how Apple's compiler or language (I assume you mean Swift) is more secure then Androids or Linux?
And just because it's all from one of company doesn't make it more secure.

Bimmy

One one hand, I somewhat like comparisons like that and occasionally ask myself similar questions. On the other hand, I find answering really challenging since I see security not as a 1-dimensional good-bad axis but having several dimensions, branching out into sub-levels.

What makes it even more challenging: What can be a show stopper for one person may be completely unimportant for another. For instance, a relatively weak (HW) physical security of a common desktop linux device might be accepted by s.o. who only fears malicious downloads and/or has their devices locked up in a high security bunker.

Anyway, if s.o. has more deeper insight and wants to provide their evaluation of some aspects of these OS, I'd definitely be interested.

argante

Bimmy GOS is created exclusively for Pixel phones. This maximizes the benefits of the hardware (MTE, Titan M). Apple is also in such a good position because it designs both the hardware and the operating system that is to run on it. A typical Linux distribution is created to run on the widest possible hardware configuration, which often forces compromises and suboptimal solutions (also in the context of security).

Bimmy

argante

Yes. I wish there was a laptop/desktop with comparable security hardware ready to run and provide the respective interfaces for a security-focused linux distribution -- maybe even a desktop-ready android (most preferably GOS).

I remember having heard some rumours about a google project for desktop/laptop with android. But I have no idea how real that is, and whether that is a realistic perspective in the foreseeable future.

argante

ngie That's not the case. See the threads about porting A16 to GOS. GOS developers initially lost information about which parts of the code were Pixel-specific and would have had to introduce a large blob, which may reduces security. In GOS, they select only the parts of the code they need for individual Pixel models. Apple has the same capabilities. A typical Linux distribution will install as many kernel modules, additional options, plugins, etc. as possible. If something can be compiled with a given option, they will definitely enable it.

https://privsec.dev/posts/linux/linux-insecurities/

IksNorTen

The answers on this topic posted on PG community may be relevant here: https://discuss.privacyguides.net/t/moving-from-fedora-macos-security-privacy-hardening-and-dev-tool-recommendations/30730

de0u

Eumenia Just because it's all from one of company doesn't make it more secure.

Indeed, there is no single magic wand.

But in practice if one party gets to make decisions about multiple layers, without needing to reach consensus with a wide variety of independent actors, important structural improvements can be made.

Apple's OS (then called OS X) introduced System Integrity Protection in 2015. Ten years later that is hardly a common feature of Linux distributions.

All Macs starting with the T2 chip (2018) have had hardware disk encryption with instant cryptographic erasure. That can be done with Linux, with some care, if it's running on the right hardware.

Eumenia Can you elaborate how Apple's compiler or language (I assume you mean Swift) is more secure then Androids or Linux?

The GrapheneOS developers have repeatedly stated on this forum that people who for some reason can't use GrapheneOS on a Pixel should consider using an iPhone or a Mac. They have also repeatedly stated that regular desktop Linux is not at all a paragon of security. Thus "Androids or Linux" isn't really one category. And indeed "Androids" isn't even one category. Android on a Fairphone 4 (with a blown bootloader) is not in the same class as GrapheneOS on a Pixel.

There are many details, and many ways to get into trouble. But Apple really has done a lot of work, in hardware and in software, to improve security. And being able to schedule hardware and OS and browser improvements together is part of that picture.

Eumenia

de0u But in practice if one party gets to make decisions about multiple layers, without needing to reach consensus with a wide variety of independent actors, important structural improvements can be made.

I never had the feeling that Google had struggle with enforcing new security standards like changing the all files access system to a system where the user can pick the files he wants the app to have access.
On Desktop Linux it's a bit harder but at the end you can still push security improvements like Wayland.

de0u

Eumenia I never had the feeling that Google had struggle with enforcing new security standards like changing the all files access system to a system where the user can pick the files he wants the app to have access.

It takes Google multiple years to convince Android vendors to roll out major security infrastructure features. I don't think it's true that all Android phones have an independent hardware security processor, wrapped storage keys, etc. So far GrapheneOS runs only on Pixels exactly because Google does not have the sort of platform control that Apple does.

traume25

When considering the OS itself, I would give the edge to SecureBlue.
However, as many have pointed out, security isn't achieved by the OS alone; I believe the strength of security is determined by the design between the hardware and the OS.

For users who don't trust large tech companies like Apple, installing SecureBlue on a Chromebook using Mr.Chromebox firmware is the best approach. However, this process won't be easy for the average end user. (Installing the firmware requires at least amateur-level knowledge, if not professional expertise, since it involves using a ROM writer.)

KCne

traume25 installing SecureBlue on a Chromebook using Mr.Chromebox firmware is the best approach

You could alternatively use a burner account on a MacBook or Chromebook

traume25

KCne A burner account is not alternatively solution. This is also unrelated to the security between hardware and the operating system.

Eumenia

de0u It takes Google multiple years to convince Android vendors to roll out major security infrastructure features. I don't think it's true that all Android phones have an independent hardware security processor, wrapped storage keys, etc. So far GrapheneOS runs only on Pixels exactly because Google does not have the sort of platform control that Apple does.

Apple can do with their Hardware what they want and Google can do the same.
Their is no difference in this aspect

rumblenek

macOS is better
secureblue is a hobbyOS

Apple do a lots of things regarding security and is a best bet

Eumenia

rumblenek macOS is better

https://www.msn.com/en-us/technology/software/one-man-s-apple-account-got-locked-after-he-bought-a-compromised-gift-card-losing-him-20-years-of-digital-life/ar-AA1SoeOB