- Edited
For me the following:
- Nice IDE like VSCodium.
- Nice office suite like LibreOffice.
- Apps having mature desktop sites.
- (Unsure if already implemented) it would be nice to have a system tray as well.
I value privacy and security and I am trying to learn more about the subjects.
For me the following:
I saw I made one mistake the Pixel 4 is not obsolete but legacy extended support.
But the others indicate 'extended support' instead of 'legacy extended support'.
If you do not want to change it that is fine, I just was unsure wether it was a deliberate choice.
It concerns the tags below.
Or maybe just list the model names, so they do not have to be changed like shown below:
Oh my bad, I misread that you wanted and alternative to Syncthing for music syncing.
For listening to music on my smartphone I always used VLC which has playlist and folder support.
It also does not have invasive permissions and works without network permissions if you disable it.
The only option I can think of is rsync, but you would have to use a custom folder like with Syncthing.
fria So many devices nowadays have built in MAC randomization or even randomization by default that you don’t really need to worry about it.
It is great that is has become more of a standard.
yore A fully randomized MAC address doesn't guarantee that the OUI portion will be set to a value that has ever existed or is quite rare. If you were to connect to Network A with a fully randomized MAC address and later to Network B with another fully random address, or even reconnect to the same network, theoretically these activities could be linked as an observer could say "Aha, it's that user with a spoofed MAC address again." Linking activities aside, it still makes it obvious that the device is spoofing their MAC and we generally don't want networks to be clearly aware of that.
In my opion both options seem reasonable to me.
And I dont't really think there is a "best" option, because of them both having trade offs.
Personally I would prefer your recommendation on MAC addresses, becase you blend in with the crowd more.
yore No worries, just wasn't sure what you meant! I see what you mean here now. Do you know of any examples of this in practice? It's my first time hearing about it so I'd like to learn more
Red Hat has a dedicated security team, while Arch Linux has one too but that is community driven.
And red Hat does security audits, while Arch Linux does not and relies on the community to check the security.
yore That's great to hear! Thanks for sharing.
It is a really cool feature, which is one of the reasons I want to switch from Fedora Workstation.
On Arch Linux you could also configure hardend-malloc apparently.
Since credentials are required for access, network administrators could monitor activity per user easier.
Additionally, the implementation of a custom network certificate by institutions introduces potential security risks. In my opinion, Eduroam is worse for privacy and security than general to public Wi-Fi networks.
Thanks for the extra context!
Personally I use two web browsers:
Another great browser would be Mullvad Browser, because of it has great anti-fingerprinting protection.
Even better so than Brave, but sadly it lacks in security because of the lackluster site isolation for example.
Cromite might also be interesting, as it is also available on Linux and has a built-in adblock like Brave.
But the same situations as with Bromite could Bromite arise.
Since Bromite stopped getting updates, because of it's small team.
The issue is that web browser in the current day are not ideal, but these seem the best options in my eyes currently.
Mystified3527 With Syncthing being discontinued for android, how should I sync the password database, so that changes made on any device are merged together?
If you are not interested in using sloud services you can look into rsync.
From my understanding it works similar to Syncthing.
And you could use Bitwarden or a self hosted version of it.
Or you could look into self hosting Nextcloud.
Mystified3527 I am considering Proton Drive, since it seems more secure for storing passwords than trying to use google drive, dropbox, or something similar. Is this a good idea, and if so how would it work? I have not been able to find much information about setting up Proton Drive to sync KeePass databases, so I don't know if it requires any special set up for everything to work correctly.
Proton Drive is a secure option for storing passwords, as it offers end-to-end encryption.
However, it does not have native integration with most file managers.
So you need to download the latest file everytimeand it is not like MEGA.
With MEGA you can access your drive files directly from your stock file manager if I am not mistaken.
Mystified3527 Once I have KeePass synced, how should I back up 2FA stored in either Aegis, or a separate KeePass database without losing the benefit of 2FA? Is it fine backing up 2FA using the same method I use to back up my passwords as long as they are in separate databases?
Personally I use two different KeePass files: one for 2FA and one for passwords.
Using Aegis you should be able to make an encrypted export from the app.
With KeePass you can export the 2FA KeePass file in multiple ways including .html.
You could encrypt the .html file using a .zip file like I do.
Important for back-ups is to have back-ups in different places.
Because if for example your house burns down all your passwords would be gone.
This is my current weekly backup Method for KeePass:
File Copies:
3 copies of KeePass files (including copies as .html files in encrypted zip).
USB Backups:
Backed up on 2 USB drives.
Device Synchronization:
Synced on my laptop and phone using Syncthing.
Cloud Storage:
Backed up in Proton Drive and Filen using an encrypted zip file.
yore That won't help unless packages come with SELinux profiles or you make your own strict profiles.
yore Again, you would need strict firewall rules for it to be effective.
I agree with you on both points; great observations.
yore MAC randomization is a bad idea if it fully randomizes it as you may receive an OUI (identifies chipset manufacturer) that hasn't been used in decades or isn't used in your area, making your device stand out and is obvious the address is spoofed. I don't know how Fedora handles this but assuming it's fully randomized, a better option is to leave it off and install macchanger. Run macchanger -e $network_interface to only randomize the last part of the MAC address. Changes won't persist after a reboot so you can create an init script to handle this at every boot.
That's an interesting perspective. Wouldn't fully randomizing the MAC address make it harder to track a device across different networks? Why is an unusual OUI a bigger privacy concern than being tracked across multiple networks? And why do you think partial MAC address changes are better?
yore Fedora is Red Hat's upstream. Not quite sure what you mean here.
Sorry for the confusion!
Fedora Linux benefits from the security practices and expertise of Red Hat, which enhances its overall security.
This is in contrast to distributions like Arch Linux, which are primarily community-driven.
yore If that is the case, that's a huge step forward!
It is true, you can find it on the first line here.
Recently I switched from Arch Linux to Fedora Linux on my HP OMEN Laptop 15 2020 laptop.
The reason is mostly for the better security and privacy by default:
The project that steps it up even more security wise is SecureBlue.
One great improvement is their usage of hardend-malloc which is developed by GrapheneOS.
They also develop a hardend web browser which is inspired by Vanadium.
This can be installed on Fedora Linux using COPR.
Eventually I might switch towards using SecureBlue.
QubesOS I gave a try on my laptop, but the battery life was quite bad at around 2 hours.
For me it would be an interesting option on a PC, but not a laptop (unless always plugged in).
My suggestion for security hardening would be to setup a administrator password for the BIOS.
Also you should disable USB- and network-boot if you do not use them.
This will reduce the attack surface.
You can also look into more security suggestions using fwupd: fwupdmgr security
.