TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)
TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)
OK, I’ll bite… How exactly?
often social eng attacks rely on a vulnerability as well e.g. getting your mark to open an Excel file that exploits a vulnerability in MS Office.
Sure, but if the compromise stays within its own app, like for a browser, sandboxing won’t help.
The bulk, and I mean like 95% of the compromises I see are normal employees clicking on things that “look legit”.
Excel is now wrapped in a browser. Discord, almost all work apps are all wrapped in a browser. So you can be completely locked down between apps like grapheneos, but if you are choosing to open links, no amount of sandboxing is going to save you.
This is why we deploy knowbe4 and proofpoint, cause people are a liabilities, even to themselves.
Clicking on things that look legit is a critical part of interaction with computers. Programs should not be installed unintentionally, so first and foremost Office Macros should not be enabled by default (and eventually Microsoft did disable them).
Recently I think the main avenue for malware is to send a PDF with a fake popup for an update, that links to a phishing site and prompts you to download an exe with malware. That kind of thing is a harder issue to solve, but at the very least an OS should probably not let that program update your BIOS.
One example is on GrapheneOS, programs can’t touch system files due to no root access, and they also can’t access data files for other programs.
Sure, but op chose to follow a link. You can be sandboxed to high heaven and still get pwned if you make choices like that. Discord is particularly rife with this.
Yes, but I never said you won’t get pwned. I said that it would limit how it could be done and what damage it could do.
For instance, if you click a link and download something shitty, it can’t just steal your auth tokens on GrapheneOS because all of that is isolated to only the program that uses them. Meanwhile on Windows/Linux there are tons of Python scripts that do that. It would take extra steps on GrapheneOS for someone to use social engineering to hack someone’s Discord/Bank/etc account, which could be enough to prevent it for some people.