Privacy & Security of Graphene vs LInux?
- Edited
When you're worried about someone recovering your deleted data, there's a lot that goes into it. For example Wear Leveling etc. One of the best ways to make sure your data is at least way harder to recover if not impossible is to use something called the "TRIM" command. On an Android phone, this happens automatically every night when your phone is idle, or when you restart your phone if it hasn't happened in 3 days.
If you're using a Linux computer, you need to check if this TRIM command is turned on and how often it's set to run.
In Graphene OS, you can keep important documents in a separate profile. When you delete that profile, all the documents in it get deleted too and can't be recovered.
OldMan GrapheneOS is "dummy secure". Means it protects you from YOURSELF.
Desktop Linux security depends on how its used and the competence of the user. Be a dummy and you'll have china and russia invading it in no time and using it as VPN endpoint and part of cryptocurrency botnets. Be smart though, and there's nothing to worry about.
- Edited
csis01 That is not correct. Aside from the fact that the approach of "just don't get infected!" doesn't work, has never worked, and will never work, GrapheneOS' security model isn't about "protecting you from yourself".
GrapheneOS builds on AOSP's already strong security model and hardens security in many ways beyond that to make exploitation that much harder to occur.
An example of the approach is detailed here, though that's not the full picture:
https://grapheneos.org/features#exploit-protection
It's fine if people want to use desktop Linux distributions (I use one, too), but I think it's irresponsible to misrepresent it as secure and tell people that they have nothing to worry about if they're "smart".
In case you tinkered with it, may I ask how you improved your distro's security setup?
- Edited
I think @Vogelhaus adequately answered what OP was really asking about, which was about secure file deletion and disk encryption. Namely, GrapheneOS does it by default, and it can be setup on Linux.
Of course, if you get your device seized while it's unlocked, there's not much disk encryption will do for you there...
It's fine if people want to use desktop Linux distributions (I use one, too), but I think it's irresponsible to misrepresent it as secure and tell people that they have nothing to worry about if they're "smart".
I share @csis01 's opinion on the importance of OPSEC—that is, the importance of making thoughtful decisions when operating a computer. GrapheneOS's strong exploit mitigations are not an excuse to make bad decisions. I would agree with you when you push back against misrepresenting Linux as secure, but @csis01 never said Linux was secure. @csis01 is saying that the only thing which impacts whether a user is exploited is the user's own decisions, which is an argument for every computer in the world, regardless of the operating system.
This is observably false, because zero-click exploits exist. The user does not even have the opportunity to make a decision before their operating system have been exploited by an invisible calendar invitation. Nonetheless, I think @csis01 makes a good point about focusing on OPSEC even while trusting your operating system has your back.
Equal2024 I agree with that, but you need to start with an essential baseline and go from there. Dekstop operating systems with no access control, sandboxing, or any other modern security features feel antiquated in today's world.
Can you use, say, Fedora Linux and never get infected or compromised? Probably. But that would because the person using it is being extremely careful, or because no one tried, because compared to other systems, you'd be leaving yourself more or less wide open.
Nothing is bulletproof, and that of course includes GrapheneOS. The project never claimed that it is. All it is is a secure baseline (AOSP) with significant hardening and security/privacy improvements that can significantly increase the effort/money required to compromise it. That still requires the person using it to remain vigilant.
matchboxbananasynergy It's fine if people want to use desktop Linux distributions (I use one, too), but I think it's irresponsible to misrepresent it as secure and tell people that they have nothing to worry about if they're "smart".
Translation: You aren't willing to accept that there are security minded and intelligent users. EVERYBODY in your opinion, is a moron who needs to be protected from themselves.
Equal2024 zero-click exploits exist
As an example, a "zero-click exploit" cannot exist in a system that is entirely disconnected from all networks and other devices and external data sources. Even DOS is secure, if you never connect a network or insert a potentially infected-with-something disk.
csis01 That is not at all what I'm saying, but I'm not going to engage you further. I'd like to ask you to please at least try to assume good faith in others. It leads to much more productive conversations and less pointless arguments.
- Edited
OldMan
On linux once an executable runs it has access to "everything", unless SE- linux policies exist, which for average joe is not the case. On G-OS this is not the case. This is relevant if we are talking about being hacked while device is on.
As far as i know trim commands are never run on linux automatically, which is another one of my gripes against linux. You'd have to set a scheduler to run it (cron job). In windows a trim command is sent everytime any file is deleted.
On linux once an executable runs it has access to "everything", unless SE- linux policies exist, which for average joe is not the case. On G-OS this is not the case.
Could you expand a bit more on why Fedora's default SELinux policies are not adequate? And maybe about why SELinux is superior to AppArmor, which is used by default on Ubuntu.
As far as i know trim commands are never run on linux automatically, which is another one of my gripes against linux. You'd have to set a scheduler to run it (cron job). In windows a trim command is sent everytime any file is deleted.
You can setup Continuous TRIM in Linux, too, quite easily: https://wiki.archlinux.org/title/Trim#Continuous_TRIM
The note explains some of the disadvantages of Continuous TRIM and why this is not the default.
- Edited
Equal2024 Could you expand a bit more on why Fedora's default SELinux policies are not adequate?
Well to be honest when I said the above I wasn't thinking of Fedora! I was thinking of the majority of other "popular" distros which have SE-linux and app armor disabled by default (Mint, pop OS, Manjaro, Zorin, etc). Also I don't know if you are asking this question sarcastically (to prove me wrong) or if you are really curiously asking, hah. Regardless, I can tell you that my education on the subject is very minimal at best. You might know more on the subject than me, which I'd be very happy to hear what you might have to say. I'm a new comer to linux and my attempts at improving linux security and educating myself on it have been heavily stonewalled either by a lack of good source of information (too many pages with no good answers) or heavily technical documents and having to do everything in command line (ridiculous IMO), which are beyond reasonable expectation for the average person to delve into. FYI, I know some programming and scripting (programming student), and generally am computer savy. Yet even for me its like... forget it. I can't be bothered to read a multi-day long book just to be able to use SE-linux or app-armor in command line.
What's SE-linux on fedora like? I dont know! And that's the problem. There is like no easy to find explanation that one can read to learn about the exact implications of its presence. What does it do? How does it help? How good is it out of the box? Does it need anything else to be done? What? all.. beats me. With something like Android, its clear; Long winded, but clear. And its easy to find and read on. Implemented perfectly out of the box with nothing else to do. Just learn to use.
Equal2024 ...And [expand more] maybe about why SELinux is superior to AppArmor, which is used by default on Ubuntu.
Isn't App armor disabled in Ubuntu by default? I thought it was.
About their difference I can only quote one line that I heard while watching this youtube video called "SE Linux for mere mortals" (which by the way I gave up on half way through), and that is:
App-armor is path based, where as SE-linux is more capable and versatile.
But I'm not opposed to app-armor in any way. I'm happy to learn either and implement them on a system. The problem is its a nightmare even to get started!
Now if you know anything about SE-linux on fedora I'm more than all ears to hear it.
- Edited
Equal2024 You can setup Continuous TRIM in Linux, too, quite easily: https://wiki.archlinux.org/title/Trim#Continuous_TRIM
The note explains some of the disadvantages of Continuous TRIM and why this is not the default.
A good post, thanks for this. But this is typical linux. The fact that one has to worry about such low level details and have to do it themselves is just the linux story.
A more interesting question for me is, does having trim actually eliminate the possibility of data recovery from deleted sectors? On paper the answer seems a yes. But is that an answer one can trust? We know data recovery companies do recover data from SSDs, but can they do it on deleted sectors too? I'd like to know the answer to that.
- Edited
r2288"#p28813
Well to be honest when I said the above I wasn't thinking of Fedora! I was thinking of the majority of other "popular" distros which have SE-linux and app armor disabled by default (Mint, pop OS, Manjaro, Zorin, etc).
There are only really two "popular" types of distributions:
- Ubuntu-based (excluding Debian, but that's more of a server release)
- RPM-based (Fedora, RHEL, OpenSUSE, technically Qubes I guess)
Manjaro is an Arch-based distribution. I really wouldn't recommend using an Arch-based distribution like Manjaro or Garuda; only use mainline Arch Linux. EndeavourOS might be okay, but I don't see much reason to use it given Arch has an install script now. Manjaro in particular does not have a great security track record, but Garuda does some wacky stuff like build binaries for every PKGBUILD in the AUR and offers users an easy way to install those binaries with a graphical installer. Just use Arch if you want to use Arch.
OpenSUSE does enable SELinux by default, but does not include any policies.
Ubuntu has enabled AppArmor by default since 2007 and ships with more profiles in every release, according to the infamously outdated Ubuntu Wiki:
AppArmor support was first introduced in Ubuntu 7.04, and is turned on by default in Ubuntu 7.10 and later. AppArmor confinement in Ubuntu is application specific with profiles available for specific binaries. With each release, more and more profiles are shipped by default, with more planned.
Linux Mint is the only really popular Ubuntu-based distribution, and it also apparently enables AppArmor by default.
Whether profiles are included or not, I don't know.
Oh, and I think Manjaro implements AppArmor, but I still wouldn't recommend Manjaro...
Also I don't know if you are asking this question sarcastically (to prove me wrong) or if you are really curiously asking, hah.
I'm an Arch user, and I have no idea about Fedora or SELinux. I've been considering switching to Fedora because it allows you to easily enable FDE, sets up SELinux, and generally does a bunch of security stuff that is annoying to do on another distribution out of the box. It's a rolling release like Arch which ships most packages without changes and doesn't have quite so many updates, so you're still getting regular patches. It doesn't have as many official packages, though. I'm not sold on Flatpaks yet but I'm sure they'll continue to improve. So long as NVIDIA implements a real free software driver and the last H.264 patent finally expires in 2028, the small usability issues will also be gone. Well, assuming AAC patents are gone by then, too...
So I think Fedora is a great experience for novice and advanced users alike with very sane defaults. I've tried it out on an old computer and it seems fine, but I found out it ships an older version of cURL which wasn't new enough to build my RSS feed reader. I dread to imagine what version of cURL is shipped with Ubuntu.
You might know more on the subject than me, which I'd be very happy to hear what you might have to say. I'm a new comer to linux and my attempts at improving linux security and educating myself on it have been heavily stonewalled either by a lack of good source of information (too many pages with no good answers) or heavily technical documents and having to do everything in command line (ridiculous IMO), which are beyond reasonable expectation for the average person to delve into. FYI, I know some programming and scripting (programming student), and generally am computer savy. Yet even for me its like... forget it. I can't be bothered to read a multi-day long book just to be able to use SE-linux or app-armor in command line.
This generally reflects my experience, although I will say I prefer doing most things in the terminal, and I do some system administration work on the side. I mostly couldn't be bothered with it and didn't bother implementing AppArmor or SELinux on my Arch installs. I also didn't bother with FDE for similar reasons. I would like to one day read a multi-day long book on the subject of SELinux...sometime, far into the future, on a lazy weekend.
AppArmor seems easy enough to get your head around to start with, from the little I did with it.
What's SE-linux on fedora like? I dont know! And that's the problem. There is like no easy to find explanation that one can read to learn about the exact implications of its presence. What does it do? How does it help? How good is it out of the box? Does it need anything else to be done? What? all.. beats me. With something like Android, its clear; Long winded, but clear. And its easy to find and read on. Implemented perfectly out of the box with nothing else to do. Just learn to use.
I believe the Fedora implementation is meant to be similar to Android, in that it's meant to be perfect out of the box with nothing else to do. I'm afraid I can't help you there, since I still don't use Fedora as a daily driver. Maybe next year.
About their difference I can only quote one line that I heard while watching this youtube video called "SE Linux for mere mortals" (which by the way I gave up on half way through)
Oh, hey, that's the same video I watched 5 minutes of a long time ago. Maybe one day. Probably right after I switch to Fedora...
A good post, thanks for this. But this is typical linux. The fact that one has to worry about such low level details and have to do it themselves is just the linux story.
These disadvantages are actually to do with the TRIM standard and SATA itself. I don't imagine other operating systems have it any easier. From the Wikipedia page:
Faulty drive firmware that misreports support for queued TRIM or has critical bugs in its implementation has been linked to serious data corruption and/or serious bugs like frequent freezes in several devices, most notably Micron and Crucial's M500[75] and Samsung's 840 and 850 series.[76] The data corruption has been confirmed on the Linux operating system (the only OS with queued trim support as of 1 July 2015).
If your drive uses SATA 3.1+, you shouldn't need to worry about any of this. I assume most drive manufacturers have figured out how to make non-dodgy firmware by now...
I have no idea how Windows handles this.
We know data recovery companies do recover data from SSDs, but can they do it on deleted sectors too? I'd like to know the answer to that.
Ditto.
User2288 I'm a new comer to linux and my attempts at improving linux security and educating myself on it have been heavily stonewalled either by a lack of good source of information (too many pages with no good answers) or heavily technical documents and having to do everything in command line (ridiculous IMO), which are beyond reasonable expectation for the average person to delve into. FYI, I know some programming and scripting (programming student), and generally am computer savy. Yet even for me its like... forget it. I can't be bothered to read a multi-day long book just to be able to use SE-linux or app-armor in command line.
What's SE-linux on fedora like? I dont know! And that's the problem. There is like no easy to find explanation that one can read to learn about the exact implications of its presence. What does it do? How does it help? How good is it out of the box? Does it need anything else to be done? What? all.. beats me.
The lack of a good documentation (which, for me, includes easy to find bits of information) was why I committed myself to Arch. It took quite some time to configure it, install all the stuff that I needed and so on, but whenever I felt lost (frankly, I believe that's part of the Arch experience) I found answers in their wiki. It explains enough to make an educated decision or at least gives me enough buzz words to find what I need to know. Mostly.
The dark side is that I as a user have to be the sys admin, too. Boot Parameters, DAC/MAC, iptables, WMs, compositor ... Nightmares. Still gives me the creeps when I think back.
However, whenever I use a different OS, I feel like playing a racing game instead of driving a real car. It's easier and more fun, but it's also only half of the real experience. I do not mean this in any way demeaning, in fact, I would love to be able to appreciate an OS with a lot less need to take care of, but I just can't anymore. In my experience, once you dig deep enough and start to understand, you feel the good part of having full control over your machine. And with great power come great responsibilities and that's usually the point when I start to ask myself if it's worth it but I always come back.
Linux might be a lot less secure than macOS or even windows, but at least I have the means to change that. Unfortunately, I also have to do it, at least some basic stuff, to get a modestly secure setup.
Still have no clue how to configure AppArmor properly without running into issues, though. Also, reading about how demanding it can be to configure SELinux, I simply do not see that on the horizon for me in the foreseeable future.
matchboxbananasynergy It's fine if people want to use desktop Linux distributions (I use one, too)
What distro are you using :)
- Edited
In Windows there is a system executable called WinSAT. It runs as a service and does a bunch of system maintenance stuff every day (including defrag, SSD management, logs, cleanup, etc). It manages Trim as well as setting up system settings needed for the hardware, so you don't have to do it manually.
I feel command-line/terminal is not a problem for most people. The problem is having to know hundreds of commands and parameters off the top of your head and remembering what order to use them in. Its an impossible task for someone who is not repeatedly using them day in day out. It's beyond impractical for the average person. Having a booklet of commands by your side to have to lookup on, left, right, and center, is also impractical and unacceptable. Been there, done that.
I think at the moment Fedora and Arch are the best and more complete systems to go with, with Arch being out of the question for people who wanna get stated in linux. In the chase of trying to get into linux the easy way I have tried (topically) Gecko, Manjaro, Ubuntu, Mint, Zorin, and popOS. Each is good in something, but bad in another (from a semi advanced user's beginner experience in linux).
I just want a secure linux that I can browse the internet with at the very least, without using Tails or Cubes. Even this has been a tall order to find.
Phead Yup. I get it. But building arch is not practical for people getting into linux, and apparently neither is any of the other options.
right now I'm about to get started on Fedora. Installing on two computers.