Hi there,
Win10 is soon not supported. Tbh Linux have been on my radar since I started to break from the US big tech.
But how is security handled in Linux? Linux is pretty open-source, or am I not understanding it correctly. So how can I as a new user make sure to have the most secure machine as possible?
Keep your user account is user space.
Avoid unnecessary root access.
Nothin, just install your favourite distro and don’t run random command/scripts/binaries you found on the internet
From a windows perspective Linux does 2 things differently which makes it more secure to Windows.
- Like MacOS it doesn’t need antivirus software like Norton. Windows needs antivirus because DOS the OS windows is based on, had it where any program had access to anything. This is still sadly true even on Windows 11. Linux is Sandboxed, where instead of giving the program full access to everything, you just give it a sandbox with what it needs.
Unless you deliberately run a program as the admin of Linux (su or sudo), malicious code can just delete system32.
- Linux’s is open source and while the desktop market share is tiny, there are a massive market in servers. As a result since there are a lot of eyes on the project if/when problems are found they are fixed quickly. I remember a time when a malicious actor was trying to add a backdoor into a library as a blob and it was caught.
Windows on the other hand is closed source, meaning if MS can’t find the issue, the only time it is found is when it’s in the field. To avoid downtime MS offers bug bounty programs for those who can find issues, rather than to let them exploit it.
I don’t know where you got your information from, but your mental model on how and why things work the way they do in both linux and windows seems to be really off.
Since you seem someone that is actually interested in understanding this stuff, I strongly suggest to find some better sources as your base
Windows isn’t based on DOS, though. It hasn’t been for a very long time. Linux isn’t sandboxed. Userspace applications can be sandboxed. There’s a difference.
So how can I as a new user make sure to have the most secure machine as possible?
Shut the computer down. That’s it; computer as secure as possible.
Otherwise, if you actually want to use your computer, google for “threat model” first.
But generally: use an adblocker in your webbrowser, don’t execute random commands/tools from the internet before you know for sure what you’re doing, update stuff now and then and make backups.
Security on Linux is lackluster.
Generally as long as you don’t install any untrustworthy programs you’ll be safe … but there’s a problem. Linux is an amalgamation of thousands of separate programs and most of them are maintained by one guy in Nebraska thanklessly. XZ Utils is a prime example of how vulnerable the Linux software stack is to malware.
My advice: Keep your daily driver separate from your gaming machine, use a debian-based distro like Ubuntu or Mint for your daily driver, and always have a disaster recovery plan. My advice would basically be the same for a Windows user.
EDIT: Also full-disk encryption. Both on Windows and Linux you can just read the contents of a hard drive no questions asked. Windows is going to address this with TPM’s but you can just use a password. Secure-boot is good because it can help guard against rootkits.
Just make sure everything’s updated.
Microsoft do a good job of updating drivers and their applications, but Windows application updates vary so much.
For Linux - mostly - the distro maintainers handle all updates and just updating is usually enough.
After that it’s down to you… if you disable all the built-in protection and visit dodgy websites then any OS is going to struggle.
You can improve the out-of-box security by removing software you don’t use, improving default configurations (one size doesn’t fit all) and considering if you want additional security software - this applies to any OS.
So, to return to your question, choose a Linux distro which has regular updates and only contains applications that you use.
Visiting dodgy websites in itself isn’t as risky as you make it out to be. There are very few exploits in an updated version of Chrome or Firefox that would compromise your machine.
You don’t actually need “perfect” security in the future, any more than you did in the past. Windows was not perfect, right? So stop looking for perfection. Instead, look for “good enough for 99.9% of the world”. And you can get that with many of the popular Linux distributions.
Basically, install a popular distro, and keep your software to whatever is in the package manager. Don’t install random shit manually. Don’t download random software from random websites. Don’t fuck with security settings unless you read up on the topic very thoroughly. Then you’ll be fine.
Security is a rabbit hole.
You’re going to end up wasting a lot of time and effort on learning about something that in the end will not have a substantial impact on your computing experience.
It will make you look good in front of losers on the internet you’ll never meet, though.
To have the most secure machine possible, you might need a hardened kernel but you absolutely need to have SELinux (or equivalent) rules set up.
The easiest way to have a go at this would be to install OpenSuSE (any version will do, they all ship with SELinux ootb) and follow guides on how to setup SELinux permissions.
what i did after install mint, enable firewall, disable vnc, ssh ,rdp ports. install opensnitch, install pihole
if you mean the most secure desktop? then linux is not. not by a long shot. use windows.
https://madaidans-insecurities.github.io/security-privacy-advice.html#desktop-os
https://madaidans-insecurities.github.io/linux.html
if you mean most most free, linux it is. personally I use linux.
I think this article is a great analysis of what deep rooted flaws linux desktop distros have, but I think it is a bit disconnected from the average user (obligatory xkcd).
If the average linux user needs a programm they google what they need land on stack overflow telling them to use their package manager to install it.
If the average windows user needs a program/feature, they google it. They klick on the first link and install the first .exe they find. Has anyone you know used the microsoft store?
Or take gaming as another example. The default expirience for online multiplayer games requires kernel level anticheat on windows. This effectively circumvents windows carefully crafted security model for most tripple A online games.
So yes the average linux machine is probably not as secure as a MacOs or windows machine. But the way they are commonly used I highly doubt windows machines are more secure.
About sandboxing, not like the Java-VM helps much in Android security.
The inherent problem why sandboxing should not be on this list:
the most secure possible? you’ll need to learn a ton. you’ll get there, but it’ll take a while.
decently secure? install Linux Mint, install your updates, don’t run sketchy commands with URLs in them unless you know what you’re doing, maybe follow a hardening guide. you’ll be okay.
if you need to be extremely secure and private, install Tails on a USB stick. it will be slow and frustrating, and you’ll need to save files to a second USB drive, but it will probably keep you pretty safe, and it’s decently user-friendly. just make sure you keep Tails updated! you’ll have to do that by flashing the new Tails onto a new USB drive, there’s no easy way around that.
those are your two most user-friendly, safe approaches.
There’s a lot of people with the idea that open source can’t be secure because people see the source code.
But imagine this. You have 2 locks, one that is completely viewable of the innerworkings, and another that is covered, both have been unbreakable, but could you imagine the balls on the guy that made the clear lock? Imagine feeling so confident that your lock was clearly the best, that you just expose it to any hacker ever and they still can’t get in.
Microsoft can barely get things working with their closed source code.
In reality, anything is exploitable and hackable eventually. With the open source community there are so many eyes on it that when someone notices that the program is running 2 seconds slower than it used to, they discover a vulnerability instead of just accepting it and saying “probably MS doing some BS” and dealing with it.
your analogy doesn’t quite work here tbh.
It’s not a transparent lock, a transparent lock would be easy to pick. It’s more of a usual lock, but everyone can see all the blueprints and changes done to them. You can make changes to the blueprints yourself, and if the locksmiths approve of it, the next iteration of the lock will have them included.
Everyone who’s in the set of users of OSS software can contribute, therefore the set of people in control of the software that want it to have no backdoors whatsoever is always larger than the set of people who want to let the backdoors in, unlike in closed source, where corporate can singlehandedly decide to include a backdoor on purpose, not to mention, lots of OSS projects have such a large quantities of different people working on them, corpos won’t be able to gather so much humanpower under a single project ever.
To be honest, security in the desktop Linux space has traditionally been a bit shit.
Since you’re new, it’s important for you to understand that Linux is a kernel. That’s the most low-down part of your operating system that handles your OS talking to your hardware and vice versa. Linux is not a full OS; it doesn’t provide any userspace tools that an OS provides. That’s why people don’t install Linux on its own, but they install Linux distributions, which are full OSes using the Linux kernel that come with more or less software to make Linux a complete OS, or at least bootable. That means that there is no one way to do things in Linux. There are some Linux distributions that are security-focused, such as Qubes OS and Alpine Linux. There’s also the new immutable distros, which provide security because the entire OS is defined declaratively, meaning you can easily rollback changes, and it’s harder to get infected with malware on those systems. There’s a lot of variability. Some systems are quite secure by default. A lot of other systems do not set up any security measures by default and expect the user to do that.
If you’re interested in hardening your Linux install, I would recommend the Arch wiki’s security page which has a lot of good advice.
Security is a really broad topic and the relevant security measures for you are going to vary based on your threat model. General good practices include using some form of MAC, setting up a firewall, don’t install random crap you don’t need (and if you are getting software from somewhere that isn’t vetted, e.g. the AUR, you should vet it yourself—e.g. if you use the AUR, learn to read PKGBUILDs), use full-disk encryption. Anti-virus software is largely not necessary on Linux, especially if you only install software from your package manager and follow other security good practice.
Microsoft being closed source hides their bugs and vulnerabilities. Even when security researchers have sent in reports MS has sat on them due to profit being motive not security, and not taking vulners seriously until the researchers say screw that and publish it.
Linux being open can have all eyes on it, and if there is an exploit, there is a community willing to help ASAP.
On many distros you may have weekly or even daily updates or patches coming through with fixes. A distro like OpenSUSE has various patch and list patch commands that show what security patches are avilailable, their status (critical, recommended) and if it’s needed on your system or not depending on what you have installed. You don’t get transparency on closed source systems.
If you are paranoid about security you can use AppArmor tools or SELinux. AppArmor can be set to learn how an app behaves, then you lock it so the app can’t do new things.
SELinux you set rules for files and folders, so even with remote access an attacker can’t access data if rules don’t allow file listing over SSH etc
