There are many articles touting one distro over another because of security features?? However, all of the linux distros are basically based off of the original kernel build - supposedly? So, why is one distro more “secure” than another or is this another urban legend? Anyone wish to clear the dust?
Linux is the most secure OS out there, but eventually, it all comes down to the actual user.
There are two options for extreme security, however.
One is Tails:
https://tails.boum.org
Which uses non-persistent drive space (you can only save on a USB stick as it maintains nothing when you reboot your system).
And the other one is Qubes
This one is more secure, with persistent storage. It relies on multiple virtual environments, so you will need a lot of RAM to keep this one running efficiently.
Thanks for the post. I’ve been playing around with Qubes in virtualbox. However, the main question still remains… Can’t the other distros be configured to be as secure?
Of course, they can. One prime example is the Kodachi Linux, which is based on the Ubuntu distro. It has won several awards for cybersecurity.
The second you buy a PC, they link the Mac address or the serial number of any part in the computer to your credit card.
In Germany you have to show your ID when you buy a phone or PC. => war on terrorism…^^
So you are fooged. even if you buy a refurbished or used pc on ebay or amazon. fooged.
To be free without any registration of the hardware:
Go buy a pc at a garage sale.
Did you lend money to your friend’s sister’s buddy? Then let him buy the hardware.
first, without internet, format the hard drive 1-2 times or remove it right away and do everything via live cd or live usbstick. i will look at tails qubes and kodachi this week.
Hello @fugbug and welcome to the forums!
Thankfully, Linux offers you the capacity to randomize your MAC address, which is always handy. Also, it does not store or transmit any hardware information - at least not without your explicit consent. As long as you are on a VPN with zero log retention, you run Privacy Badger & uBlock Origin, you are relatively safe. For more safety, disable scripts on your browser or use the TOR Browser with its maximum settings (TOR post VPN setup).
you are absolutely right, you can do a lot right with linux, but you can also do a hell of a lot wrong.
but i think if you want to be consistent, you should start with the hardware. all the chips on the boards come from the land of panda. and i would bet there are protocols we don’t know ;).
last but not least, the biggest danger is still in front of the computer. only with absolute discipline, comparable to radio traffic behind enemy lines, you can protect yourself and others.
why do you think mr.zuckerberg named his company “meta”? because exactly these “meta-data” and one or two algorithms tell more about you than your diary.
Agreed in full!
On the hardware side, we’ll need to keep an eye out for the new TMP 2.0 and T2 chip modules (PC and Apple, respectively).
On the Zuck-man side, the Meta-Data connection is valid. Because that’s what he and his cronies are collecting. Former FB is now coming forth with the truth about their purpose.
life log is an open secret.
what meta data do, you can see here very well.
What would be your next pick? Didn’t Snowdon use tails and switched to cubes now?
Tails is a non-persistent distro, which runs out of a USB stick - regardless of the computer you’re using. Qubes has persistence (you can store files and settings), but it requires a serious system with at least 32GB of RAM, due to its many virtual machines.
As for me, I don’t need to go into “overkill mode” - which is what the two distros provide. For now, I’m settling for a reasonably secured distro, either Ubuntu or a Fedora/CentOS one.
You could do that… or just randomize your MAC address. If you automate it, you’d change it before you bring up your networking. You want to change it before you start sending ARP packets around.
Tails on a HP EliteBook 8560w running very well.
RAM 3.8 GB
Intel Core i5 2520
64 bit
no hdd
mac adress randomizer, tor vpn network per default.
booting time ca 90 seconds
persisting storage on usb
lesson learned, please enable storage before you typing the obfs4 tor bridge key in …
please download, do the screenshot that bridge key from a complete another network, that is not connected to your desired machine.
i was also looking for a secure email. i am start to use startmail. for all us citizens, it is a dutch company using only server in eu. the registration process is really straight forward. i recommend you for the registration, similar to the tor bridge key, please use a completely different network. so you can avoid any tracking.
lesson learned: please enable the persistent storage for thunderbird. when you like to use a mailing client. you have to enable the device with a special password, which is only shown once.
another important point is to start a process, follow it and complete it. depending on the level of threat or the need for security, you should reboot the system after each task.
Are you running Linux from a USB? Otherwise, you normally don’t need persistent storage (unless you’re running Tails).
yes, i’m trying to push it to the limit.
and so you can also consider three other aspects of data security:
- don’t always be online.
- always restart the machine (in the case of TOR, new IP and MAC addresses are always distributed).
- if the worst comes to the worst, make sure that you can also create physical data security.
Good points and I agree with the first.
For the second, it depends on your network. Routers in general hold the same IP no matter if they are rebooted. They only change when you reset them to factory settings. The MAC address is mainly visible on phones when using data. Routers tend to send out their own MAC address. If you’re worried about your IP address, stay on VPN > TOR and shift servers for the former, and exit route for the latter (you can do do while online).
For the third, it depends on the type and - most importantly - the size of data you wish to secure. 10GB are much easier to store than 10TB.
You mentioned the T2 chip.
I am have been trying to boot my iMac with Ubuntu via an external flash drive. I have researched the internet and found that my iMac is relatively new and does have the T2 Security Chip. I followed web suggestions that I boot into recovery mode and turn off certain security measures so that I can boot from an external drive. I have done all of this yet to no avail. When I am given the EFI option, I select it, then my iMac screen goes dark as if it is booting to the flash drive but it never succeeds. I eventually have to restart my system by holding the button on the back of the iMac.
Any information would be appreciated.
Thank you
As always it depends on what exactly you are trying to secure, desktop in general or server. As you know any open port ( or service) especial a default port is at risk. But the distro that is stable, well known and FULL of security tools is https://www.kali.org/
Hey @Fire and welcome to the forums!
I gave it a shot, personally, but I didn’t persist too much on the subject. I did a test on my T2 MacBook Pro 16" a few months ago. There is a process to allow booting from an external drive, which you’ll need to activate in the “safe” boot mode of macOS, under the security settings. I’m including a link on how to do that in the end of this post. This allowed me to boot Linux from the USB.
One thing you should be extremely careful of, when you try an installation to the external drive, is the following:
When it prompts you about where to install Linux, make sure you select Something else - as in manual partitioning. This is imperative. The reason is not as to which drive Linux will be installed, but the location of the boot loader. When you go manual, you have the selection on where to place that Linux boot loader. Under no circumstances should you select any automated boot loader installation and avoid installing any distro that does not give you the option to select the location of the boot loader install area. It will damage your macOS.
With that being said, when you enter the manual partitioning, select your external drive. You should then make three (3) partitions:
- The boot partition (usually EFI as its file system) and flag it for format and the /boot as mount point. Also, if you see the “boot” flag when you’re setting it up, select it. This partition should be anything between 512MB to 1GB.
- The Swap partition. This is your virtual memory, should your system run out of RAM. The ideal size is to set it equal to your system’s RAM (i.e. 8192MB for an 8GB RAM system). Select its filesystem to be swap. There is the option to also have hibernation for your system, if you select the swap partition to be 2x the size of your RAM, but I would not recommend it as you may hit some glitches.
- The last partition is your root one. That’s where the main OS will reside and is mounted at the / point. You can select this to be EXT4.
Once you are done setting those partitions, double-check that you select the boot loader (Grub) installation to be on your external drive.
Depending on the distro you selected, if you try to boot from your newly installed Linux on the external drive, you might still get a black screen. That’s something I faced on my MBPro. The two distros I hear recommendations about are PoP_OS and Manjaro.
Below is the link on how you can set your T2 iMac to allow booting from an external device: