TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)
What did clicking on the cloudflare button actually do? As far as I know just clicking on a link shouldn’t give you malware.
Another step up is the confidential computing project. Requires hardware that supports it though, which sucks, but takes the virtual hardware concept and adds multi key memory encryption on top.
Remember though security without a threat model is just paranoia, so what level of hoops and investment you need really depends on what your threats actually look like.
I personally love containers and Macsec. It limits most of my concerns. I want to mess with confidential containers next, which is to say lightweight VMs in containers with memory encryption set, but thats all future to me. The irony is that I then I have to figure out attestation better for those machines since from the host they are black boxes.
I don’t understand… Your motivation for a secure operating system was from an incident where you were nearly social engineered? How will a “more secure” os help you with that?
More secure OSes limit what social engineering attacks can take place and what damage they can do.
OK, I’ll bite… How exactly?
often social eng attacks rely on a vulnerability as well e.g. getting your mark to open an Excel file that exploits a vulnerability in MS Office.
Sure, but if the compromise stays within its own app, like for a browser, sandboxing won’t help.
The bulk, and I mean like 95% of the compromises I see are normal employees clicking on things that “look legit”.
Excel is now wrapped in a browser. Discord, almost all work apps are all wrapped in a browser. So you can be completely locked down between apps like grapheneos, but if you are choosing to open links, no amount of sandboxing is going to save you.
This is why we deploy knowbe4 and proofpoint, cause people are a liabilities, even to themselves.
Clicking on things that look legit is a critical part of interaction with computers. Programs should not be installed unintentionally, so first and foremost Office Macros should not be enabled by default (and eventually Microsoft did disable them).
Recently I think the main avenue for malware is to send a PDF with a fake popup for an update, that links to a phishing site and prompts you to download an exe with malware. That kind of thing is a harder issue to solve, but at the very least an OS should probably not let that program update your BIOS.
One example is on GrapheneOS, programs can’t touch system files due to no root access, and they also can’t access data files for other programs.
Sure, but op chose to follow a link. You can be sandboxed to high heaven and still get pwned if you make choices like that. Discord is particularly rife with this.
Yes, but I never said you won’t get pwned. I said that it would limit how it could be done and what damage it could do.
For instance, if you click a link and download something shitty, it can’t just steal your auth tokens on GrapheneOS because all of that is isolated to only the program that uses them. Meanwhile on Windows/Linux there are tons of Python scripts that do that. It would take extra steps on GrapheneOS for someone to use social engineering to hack someone’s Discord/Bank/etc account, which could be enough to prevent it for some people.
How is using disposable VMs in Qubes not going to help?
i have this well guarded city with big walls and tough gates. oh hey look someone is gifting me a big wooden horse, send them in! edit: thought i was funny but it sounds mean now. but i know how you feel, i got pwned once like 10y ago and they sent spam from my skype…
You aren’t going to like this:
Because if you got yourself pwned by a malicious link in discord, your account highjacked, etc., then having discord in a vm, container, chroot, jail, or whatever won’t help you on the server-side api abuse that got you pwned. In this case, you yourself should have been more vigilant.
From your article, and with respect, I think its nice you’re thinking more about security, but you’re mixing up quite a few concepts, and you should probably make smaller moves toward security that you actually understand, instead of going all-in on qubes with only a vague concept of the difference between sandboxing and paravirtualization.
Slightly harsh but that is the truth of it. Improving the walls and doors will help, but if the guard on the door can be convinced to admit an uninvited guest then the physical security will have much harder time protecting your data. The weakest part of any security system is the people.
The weakest part of any security system is the people.
Well, maybe not any, but most ;D
Yep.
I was hoping not to sound too harsh, I’ll have to work on that.
As long as it’s factual harsh is even welcome.
I think Secureblue + GrapheneOS are the most reasonable choices imo. Qubes is highly hardware intensive for what it does, it will frustrate most people.
It works decently with just 8 GB RAM, and I’m going to upgrade the RAM.
Secureblue is based on sandboxing rather than paravirtualization, and I’m not sure that’s secure enough for me.
I do agree it’s likely more secure, but the tradeoff for common use cases (gaming, development) is steep. I could see using it solely for browsing and messaging people
You can also just slot secure blue into a qube I believe
Not only is it resource‑intensive, but Qubes also lacks Secure Boot and Wayland support. Secure Boot is critical to ensure the OS has not been tampered with, and Wayland is required to isolate individual apps running within a single VM from capturing input intended for other apps. For an average user, I would recommend SecureBlue rather than Qubes.
Qubes OS has an Anti-Evil Maid option that is far, far better than signed boot.
AppVMs are isolated in Qubes even without the help of Wayland
I am excited to see Chimera Linux mature because iy seems like a distro which prioritizes a simple but modern software stack.
Features of Chimera that I like include:
- Not run by fascists
- Not SystemD (dinit)
- Not GNU coreutils (BSD utils)
- Not glibc (musl)
- Not jemalloc (mimalloc)
- Proper build system, not just Bash scripts in a trenchcoat
What I would like:
- MAC (SELinux)
- Switch to Fish over Bash (because it is a much lighter codebase)
- Switch from mimalloc to hardened_malloc (or mimalloc built with secure flag). Sadly hardened_malloc is only x64 or aarch64
- Hardened sysctl kernel policy
Chimera is a nice alternative to Alpine, have you thought of sending this feedback to Chimera’s dev?
I thought about it (and I might still) but the project is still in beta and implementing sysctl and MAC would slow everything down development-wise. Switching to Fish would be easy and cool though.
What are the pros/cons of GNU coreutils vs BSD utils?
EDIT : from their website : Desktop environment -> GNOME. What a choice, not for me.
GNOME is just the default, there’s also KDE and no-GUI options if I’m not mistaken
I find it odd that the author didn’t mention secureblue at all. I wonder why they didn’t consider that option?
I actually forgot to mention it, but I was going to say anyway that sandboxing I deem less ideal than paravirtualization
I don’t know anything about that but it sounds interesting. If you have any sources for further reading about sandboxing vs paravirtualization, I’d like to read up on it
What I want out of a secure Linux (or BSD) system is full (top-to-bottom) sandboxing of all components to enforce least privilege. I am want to learn how to make my own distro (most likely for personal use) which uses strong SELinux policies, in conjunction with syd-3 sandboxing, which seems like the most robust and feature rich, unprivileged sandbox in both the Linux/BSD worlds (also it’s totally in safe Rust from what i can tell).
Another thing that I would love to make is a drop-in replacement for Flatpak that is backwards compatible but uses syd-3 instead. It has much better exploit protections than Bubblewrap, and is actually an OOTB secure sandbox. I dont know much about the internals of Flatpak, or how to use xdg-desktop-portal, but I am going to start more simple with a Bubblejail alternative. One major advantage of syd is that you can modify an already running sandbox, so theoretical you could show a popup that says something like “App1 is requesting microphone access.”, where you could toggle on without needing to restart the app.
Need to get better at coding tho lol
I’m all for a better Flatpak, but I’m on the fence with full-on usage of Rust, I’d wait for there to be a second Rust compiler. Otherwise, sandboxing might be enough for some users, but not exactly for me.
You can try to just make a hardened NixOS config. The only requirement is systemd to use NixOS options. Other components you can freely interchange.
I’m not very good at securing Linux, but from what I’ve seen, NixOS leaves a lot to be desired. It doesn’t officially support SELinux and requires a lot of work to make it function properly. It supports other mandatory access control programs, which I’m not really sure how they compare. The store being world readable is another problem. The most obvious issue with that is if you’re doing business work with two clients on the same computer where infrastructure needs to remain confidential, where one client’s programs can read the store and see information about the other clients, even on separate user accounts.
I think the preferred approach is AppArmor because SELinux is not supported on immutable distros. I’m not a security expert either, but I would not share environments between two clients at all, I would put them in separate VMs
SELinux is used on all the Fedora Immutable distros, and the OpenSUSE Immutable distro. It’s actually much easier to do SELinux in Immutable distros in a lot of ways than non-immutable. Especially the bootc-style ones where even more of the system is defined and prebuilt before deployment.
AppArmor is OK, but the whole issue is that you have to know what to throw into it. That’s also its benefit, you can focus in the high risk things and ignore the low risk things. It keeps expanding profiles more and more though, and ironically the ultimate destination is everything being under MAC.
Well, that’s because it’s a first party solution. From NixOS point of view SELinux is mutating the store which is forbidden
Thanks, Ironclad and Gloire look interesting for a RISC-V system, gonna try out at some point alongside CheriBSD
