/os/ - Online Security

News, techniques and methods for computer network security.


New Reply on thread #37
X
Max 20 files0 B total
[New Reply]

[Index] [Catalog] [Banners] [Logs]
Posting mode: Reply [Return]





there is a tradeoff, with less eyes on openbsd code but more security built-in, whereas there are more people looking at the linux code but it is not necessarily from a security perspective. personally i prefer openbsd.




I've looked at these options a lot this year. There are tradeoffs any way you do this. I like the model of: alpine-linux xen, pci-e passthru to openbsd firewall into hardened gentoo single purpose vm's (music, desktop, reading, web browsing, coding), kind of like a DIY qubes-os.




Does QubesOS use systemd just like Whonix uses systemd? Also, if systemd was so bad, why is there grsec kernel patches that works with systemd? Is TrueOS and FreeBSD going to swallow the d? Why are most init systems aren't as easy to configure like systemd?

 >>/631/
Qubes defaults to Fedora on Xen, which is systemd.  I don't trust anything related to the Government/Corporate system known as Red Hat, including that distro (Fedora) on which I've been pwnd while using.  Redhat's rpm packages are well put together and the default config files that ship with them are very well designed and documented/commented.  It rarely crashes, is super stable, and the packages are default working and have good configs.  However I can tell you from personal experience that I won't get into that CentOS,Fedora and Redhat are not to be trusted at all.    

Systemd is very easy to use, but again read the above about Redhat. Redhat and all of it's derivatives have implants that are virtually undetectable. I don't trust systemd, although I use it on Parabola GNU/linux, and I use openRC on Gentoo.  

I have 6 computers running parabola on systemd (2 servers, 3 workstations, and  a laptop). I have 1 computer running on Gentoo which I work on every once and a while. Also another laptop running Debian. I have 4 computers running OpenBSD 6.0 1xamd64 2xSparc64, and  1xAlpha.  I also have an experimental computer running openIndiana on amd64.  I'm sticking mostly wth parabola for day to day and server stuff, due to ease of maintainence.  For me minimalism is the key to a solid foundation.  Systemd's expansion in taking over other system components is a cause for concern.  

PC WORLD
http://www.pcworld.com/article/2841873/meet-systemd-the-controversial-project-taking-over-a-linux-distro-near-you.html
"Critics say it’s not Unix-like Many of the complaints to systemd stem from a feeling that this huge project is increasing in scope and taking over too much of the Linux system. Not surprisingly, the Boycott systemd site starts with this exact complaint: “Systemd flies in the face of the Unix philosophy: ‘do one thing and do it well,’ representing a complex collection of dozens of tightly coupled binaries. Its responsibilities grossly exceed that of an init system, as it goes on to handle power management, device management, mount points, cron, disk encryption, socket API/inetd, syslog, network configuration, login/session management, readahead, GPT partition discovery, container registration, hostname/locale/time management, mDNS/DNS-SD, the Linux console and other things all wrapped into one.” Ubuntu’s Mark Shuttleworth originally called systemd “hugely invasive and hardly justified” when Ubuntu was sticking with their own “upstart” init system. Ubuntu eventually gave up that fight and is switching to systemd. The change will show up in the Ubuntu Desktop Next images starting in the 15.04 update cycle."
##############

I'm very suspicious about it. And when I have free time i'm going to eradicate it and other questionable system components from off of any mission critical systems.

I hope that answers your question. I'm no expert and those are just my feelings on the subject.

Linux distributions to avoid:

RedHat RHEL, CentOS, Fedora, Ubuntu, Mint, SUSE,OpenSUSE.  

Avoid any GNU/Linux distributions based on the above systems if security is your thing. They're all good and useable, like Windows is, but if security is your goal stay away.



 >>/643/

Yeah there wasn't a package for a script for dovecot, so I can't use it on my mail servers. 

Also I couldn't use weston when I switched over, you can only use xorg. So I switched back to systemd.   Eventually this will be fixed and I'll switch for good.

 >>/634/

I have openindiana on a sun ultra 20 amd system and I'm going to load it onto a Sun Ultra 40 when I get some time.  There aren't many packages in the hipster repo, and they're old package builds.  I played with it for a weekend a few months ago... I need to read some manuals and stuff, but I like that Solaris is still around in an opensource format.


 >>/646/
Its a fork of opensolaris, which is a fork of solaris 10 by Sun Microsystems, it's Unix system V. OpenIndiana is the x86-64 only branch of opensolaris/ IllumOS, and comes with a GUI which is Gnome, I'm sure you can load it in text mode as well.

https://www.openindiana.org/
https://en.wikipedia.org/wiki/OpenIndiana
https://distrowatch.com/openindiana
https://wiki.openindiana.org/oi/OpenIndiana+Wiki+Home







Hardened Gentoo with no doubt, GRSec, SELinux, fstack-protector-all, hardened toolchain, your binaries are different than everyone elses (USE flags), uClibc-ng/Musl support (uClibc-ng is stable in Gentoo while musl is experimental) which are quite far ahead in terms of security than glibc.  


CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"

Is the default build in Hardened Gentoo, memory based attacks can't do shit on this.  Many people reported Dirty COW didn't even work on Hardened Gentoo. 

Hardened Gentoo is the king of security atop a Linux Kernel.

 >>/666/ (checked)
> LDFLAGS="-Wl,-z,now -Wl,-z,relro"
That's sloppy code, you only need the one -Wl.

Here's what mine currently has:
LDFLAGS="-Wl,-O1,--sort-common,--hash-style=gnu,--as-needed,-z,combreloc,-z,relro,-z,now"

Nonshit country > Nonshit ISP > A libre router setup > Shitty Tor Relay server > Libreboot > LiveUSB > Hardened Gentoo > Encrypted LVM > grsec-xen kernel > SELinux > User > QEMU > Hardened Gentoo > Encrypted LVM > grsec kernel > SELinux > User > Tor > Links2 > http://s6424n4x4bsmqs27.onion/os/res/37.html#q668


Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on hardened building?
No, the current toolchain implements the equivalent of CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro" automatically through GCC's built-in spec and using the specfiles to disable them which is a more proper solution. For older hardened-gcc users the best approach is switch to the hardened profile and then upgrade following the steps on the "How do I switch to the hardened profile?"

https://wiki.gentoo.org/wiki/Hardened/FAQ#Do_I_need_to_pass_any_flags_to_LDFLAGS.2FCFLAGS_in_order_to_turn_on_hardened_building.3F




I'm using LUKS on lvm as specified here:
https://libreboot.org/docs/gnulinux/encrypted_parabola.html

# dd if=/dev/urandom of=/dev/sda; sync
# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sda1
# cryptsetup luksOpen /dev/sda1 lvm
# pvcreate /dev/mapper/lvm
# vgcreate matrix /dev/mapper/lvm
etc.  
It's a well written guide, I use it with the parabola/arch guide when I setup a new parabola install. 

I'll look into ecryptfs this summer, thanks for the tip. 

http://ecryptfs.org/
https://en.wikipedia.org/wiki/ECryptfs
https://wiki.archlinux.org/index.php/ECryptfs

Here's some copypasta from the archwiki:
> Before starting, check the eCryptfs documentation. It is distributed with a very good and complete set of manual pages.

> eCryptfs has been included in Linux since version 2.6.19. Start by loading the ecryptfs module:

> # modprobe ecryptfs

> Tip: If you use linux-grsec, auto-loading of cryptographic modules may fail when executing the ecryptfs-mount-private wrapper (as of November 2014). As a work-around, load the mentioned module manually; for example modprobe md5 as root and configure the system to load it at next boot.

Not sure what this means but it's a bit spooky.
> Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed against it.[1] [2] [3] [4] If you experience this problem, you can test it by commenting out -session   optional   pam_systemd.so in /etc/pam.d/system-login. However, this is no solution because commenting out will break other systemd functionalities.

> https://bugs.freedesktop.org/show_bug.cgi?id=72759

> https://nwrickert2.wordpress.com/2013/12/16/systemd-user-manager-ecryptfs-and-opensuse-13-1/

> https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/313812/comments/43

> https://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/2014-October/004088.html

Seems like automounting is dangerous on systemd.

One could either encrypt their /home/$USER dir, or some other dir or ~/.Private ON TOP OF AN ENCRYPTED SYSTEM. It may not be as secure as mounting an encrypted hardrive and unlocking it without an active internet connection, but you can have a dir encrypted even after decrypting your storage via dm-crypt and choose to have it decrypted manually or automatically. One needs to trust their USB or SATA ports isn't physically tampered with if one tries to decrypt an external storage connected to your system, one or more hardware variables are gone because ecryptfs works on top of an existing filesystem without the need of making a separate storage space to mount it on, but on the downside, ecryptfs doesn't use super secure encryption protocols and is buggy for systemd and maybe linux-grsec based kernels. I think it is a better alternative than say putting your stuff in a compresssed package with a password on it but that's just me.

Hello endwall, Is there any documented instance of Fedora,RHEL,or system.d being intentionally backdoored? May be off topic sorry,but you have mentioned it a few times.

 >>/766/

As in a documented case of an audit being performed on systemd uncovering a backdoor?  
No I haven't seen anything about this on any website or about it or in any talks or in any literature.

As in what happend to me?  Yeah I was gang raped on those systems. I had port 53 crowbarred open so that I couldn't shut it off, couldn't turn of bind9 or rebind the port, I had targeted feedback from my terminal and desktop relayed to me through third parties,  I don't want to go into it tin foil style, but don't use it, if you have to use it, use it in text mode with no gui.  My estimate was that the attacks were from the inside out, but I wasn't using jails and used firefox regularly so I don't know. 

From a process standpoint installing it to text mode (CentOS 6.6) (minimal) releases the shell to you at pid 4100, on a fresh install parabola releases the shell to you at ~ pid 650. So there are more background processes running on centos 6.6 then on parabola.  With a full gui install this is much higher. The anaconda installer is really simple and gives you encrypted partitions without much work.  CentOS never really crashed, parabola with grsec kernel locks up all the time, on CentOS gnome was smooth never crashed, never locked up, on parabola startx with blackbox or openbox starts getting the jitters and locks up hard at least once a day.  The rpm packages always worked, and had good configs on centos, the packages on parabola/arch often have empty configs that don't allow the services to start. 

I'd run centos if I didn't care about being spied on, but I do so I don't.  Red Hat are the Microsoft of the linux world, and they are definitely in bed with the NSA and the Government.  

My personal opinion is to install the minimum number of packages to get the job done, compile from source, get the source code directly from the upstream vendor. Gentoo is your best shot for this approach.  The more packages you install the bigger your attack surface and the sooner you will install a malware backdoored "Free software" package. Using binary packages is giving trust to the person that compiled the package that they didn't insert their own backdoor into the code before packaging it. 

Someone should do tcpdump and wireshark packet capture analysis on fresh installs for each distribution for a 1 week capture period and see what turns up.  Also there are probably secret protocols that won't be captured by tcpdump or wireshark. But maybe you can do this? So if you do it tell us about it or make a tutorial and link it.

 >>/766/

Also from memory centos with the gui was making calls out to Verisign and Neustar every 30 mins, to weird websites with no content on them.  I put these ips into my original block lists for endwall (before it was endwall).  Strange repetitive calls out on ports 80, 443, 53 to companies like these mainly in Virginia, Maryland, and some on the west coast in California.  A lot of malicious looking interactions with Akami technologies, constantly sending out packets, and probing my ports. I banned these as well, same with stuff from Amazon AWS.  I can't remember it all, I had a large block list but still recieved indicators that my desktop was being monitored and survielled remotely.  Probable keylogging, and screen capturing from framebuffer being encoded and sent out through port 53.  It was pretty sophisticated looking. Fedora and Centos and RHEL are no go for me.  

I'm suspicious about Debian as well, but it has a good reputation.  However, Julian Assange made comments indicating that he thought that Debian was compromised as an OS, so maybe he knows something, or did some technical analysis on outgoing packets that gave him this impression.  I put Debian on my mom's laptop because it has drivers for wifi that just work without fiddling.  But I'm suspicious, I haven't had any bad experiences with it but Julian Assange's comments make me suspicious.   

I prefer wired only interactions with the internet, and only behind 2 firewalls, 1 hardware + 1 endwall software, with blacklisting of wide ranges of ports and ips. 3 firewalls is better.

I "trust" the base install of parabola, but I don't trust the package repository. 

I ran packet captures for a week in text mode on the base install and saw nothing crazy.  My servers have stood up to some intense attacks, DDOS, brute force, bot net junk mail phishing, etc.  However I have had some strange probable surviellance experiences using xorg on parabola. 

I don't have the time right now to get everything working on Gentoo the way it works on my parabola installs, but one day I will completely switch. 

I also like OpenBSD, the base install has only 45-50 running processes as reported by ps. It looks clean but I haven't done any analysis.  OpenBSD package repositories are ~ 6 months old packages. I can't speak to their trustworthiness.

Parabola with full disk encryption with tor and firejail on everything is probably the best that a non computer science person can do.  Gentoo has me reading compile error logs, and running around in circles spending hours finding out which flags messed up the emerge installation, and which missing packages caused errors, it takes too much of my time, pacman on arch is simple but comes with the aforementioned "trust" problems with the packages.  I basically don't trust computers anymore.

 >>/766/
Here is an informed opinion on the subject matter:
Julian Assange: Debian Is Owned By The NSA « IgnorantGuru's Blog
https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/

https://youtube.com/watch?v=UFFTYRWB0Tk

" and about 20 minutes into his address, he discussed how UNIX-like systems like Debian (which he mentioned by name) are engineered by nation-states with backdoors which are easily introduced as ‘bugs’, and how the Linux system depends on thousands of packages and libraries that may be compromised."

"Assange mentions how Debian famously botched the SSH random number generator for years (which was clearly sabotaged). Speaking of botched security affecting Red Hat, Debian, Ubuntu, Gentoo, SuSE, *BSD, and more, the nightmarish OpenSSL recently botched SSL again (very serious – updated comments on how a defense contractor in Finland outed the NSA here?) It’s very hard to believe this wasn’t deliberate, as botching the memory space of private keys is about as completely incompetent as you can get, as this area is ultra-critical to the whole system. As a result, many private keys, including of providers, were potentially compromised, and much private info of service users. Be sure to update your systems as this bug is now public knowledge. (For more on how OpenSSL is a nightmare, and why this bug is one among many that will never be found, listen to FreeBSD developer Poul-Heening Kamp’s excellent talk at the FOSDEM BSD conference.) From the start, my revelations on this blog about Red Hat’s deep control of Linux, along with their large corporate/government connections, hasn’t been just about spying, but about losing the distributed engineering quality of Linux, with Red Hat centralizing control. Yet as an ex-cypherpunk and crypto software developer, as soon as I started using Linux years ago, I noted that all the major distributions used watered-down encryption (to use stronger encryption in many areas, such as AES-loop, you needed to compile your own kernel and go to great lengths to manually bypass barriers they put in place to the use of genuinely strong encryption). This told me then that those who controlled distributions were deeply in the pockets of intelligence networks. So it comes as no surprise to me that they jumped on board systemd when told to, despite the mock choice publicized to users – there was never any option. A computer, and especially hosting services (which often run Linux), are powerful communication and broadcasting systems into today’s world. If you control and have unfettered access to such systems, you basically control the world. As Assange notes in the talk, encryption is only as strong as its endpoints. eg if you’re running a very secure protocol on a system with a compromised OS, you’re owned. As Assange observed: “The sharing of information, the communication of free peoples, across history and across geography, is something that creates, maintains, and disciplines laws [governments].” UPDATE: Wikileaks is officially denying that Julian Assange literally said “Debian Is Owned By The NSA”. For people who are choking on the mere summary title of this article, please see definition of Owned/Pwn (and get some hip!)"


https://trisquel.info/en/forum/julian-assange-debian-owned-nsa

http://forums.debian.net/viewtopic.php?f=3&t=115121

If you search around you'll find more articles.  It makes sense, they have a $20 Billion / year budget, and hire the top Bachelor and Masters degree computer science students from computer science programs from around the country, and post them as developers in these open source communities and in linux distribution projects.  In the case of Red Hat the link is clearer and more direct.   

There needs to be an audited version of GNU/linux that is audited by at least 3 professional auditing teams each signing the final source packages in tar files.  There needs to be an audit distribution even if it lags behind rolling release distributions. Audited Source GNU/linux.

 >>/773/
> audited unix
> AKA OpenBSD

I don't mind using linux when I have to use hipster bleeding edge software. And the hackish nature flowing through the kernel itself is never ending inspiration (for both offensive and creative nature).

but seriously, there's no excuse of not using openbsd on exotic platform here and there for making life of NSA employee bit more harder or use gentoo/arch like distribution to learn how the fuck software that we all hate but ultimately become the part of actually works under those filthy piping.

You don't have to be programmer or professional pen testing auditor to make impact. just walking into seemingly random bug, obscure documentation. the never ending experiment is what brought us here, not some IYI crackpot compsci nerd who happily spend his time jizzing over algorithm that works better than quick sort on astronomical scale.

I won't ask you to write compiler or bootstrap your own operating system from language specification or anything. 

Just stop before executing that command or shell script. read it and dump the elf header, see what it wants, how it's doing stuffs. 

Don't visit website with web browser all the time. use nc to see what's actually pouring through.

list goes on and suddenly you realize you don't want nor need questionable developers to dictate your disto nor daily drivers.

I am now also aware of the existence of a potential heir to Tails called Kodachi. It might be worth trying out, but I haven't tried it out yet so I can only recommend people to try it out, not recommending people to use it all the time.

https://www.digi77.com/linux-kodachi/


 >>/777/
I think you've ignored the context, and how one can use Transmission without using Tor, how one can configure Kodachi to use a VPN, how one can configure DNScrypt to not use the default of using CISCO servers (you can even use a dns server in Iceland of all places), how it's a customized OS that deletes fucking everything at shutdown, etc, so it's marginally better than Tails but not yet perfect.

 >>/778/
> deletes every time 

and user patiently reconfigures everything as he anxiously plugs in usb stick to computer. indeed nice situation to be in as prey.

I thought whole point of this pleb tier usb stick distros were to provide non technical personnel with 'secure by default one time beacon' to be disposed of asap.


http://fuguita.org/index.php?FuguIta

What's this?

FuguIta is the Live System which was based on OpenBSD operating system and has following features;

Similar to HDD installation
    This Live System is intended to be similar to HDD installation as much as possible.
    After bootstrap completed, you can login to the environment like the one which was just installed on HDD.
    In this environment, many ordinary files have replaced to symbolic links. So you can replace or modify them by yourself.
Portable workplace
    You can save your own environment into Floppy Disk and/or USB flashdrive. Then you will be able to retrieve it at next boot time.
Low hardware requirements
    Unless you will use X, this Live System requires 48MB of memory to run.
Following stable version
    We're trying to track the OpenBSD-stable version, and to apply all errata patches.

Note: FuguIta (fuguita.gif) stands for "Blowfish Disk" in Japanese. Fugu means blowfish, and Ita means something flat such as a plate, a disk or a board etc...
Some Japanese might associate those who cook when hearing Ita. For them, so FuguIta also means "Blowfish Cook" as double meaning.

I've had great luck with Alpine on my servers. Yeah, binary packages but it's been amazingly stable for me over a few years.

Alpine is getting pretty popular though, for awhile ncopa was threatening to shut down development for lack of time (he couldn't afford to work on it after losing a sponsor). I used to donate to him.

Then suddenly Docker made its announcement regarding Alpine and everything changed. All mentions of a way to donate on the Alpine website disappeared, development surged, and they get major donations of hardware as well. Has me a little bit worried that it could be sold out. Lots of new names on the contributors list on recent versions.

 >>/786/

yeah alpine is really cool.

they are currently the only major distribution that supports musl as standard c library.

gentoo has musl-hardened/vanilla branch but it still has long way to go for stabilization



thumbnail of feels.gif
thumbnail of feels.gif
feels gif
(2.77 MB, 287x191)
 >>/37/
I use a Librebooted laptop with Debian that has FDE enabled. I also have a GRUB password set up. Works well enough. 

If you're going full tinfoil, then use a Librebooted machine with an OS you've made yourself and remove the networking hardware. Encrypt with Twofish to make brute forcing harder for the attacker.


 >>/834/
I didn't use GRUB because of the claims behind being easily accessible through hitting backspace a specific number of times to being the password. I don't have 100% FDE also because of that claim. I'm also worried that if I update to a newer version of GRUB some time in the future that it won't be compatible with Libreboot. To ease my paranoia, I made myself use syslinux instead, but of course, it's no real solution either.






https://www.hyperbola.info/

It's not ready still, the damn download link doesn't work. I suspect that it's still half baked. That being said, one day it could be a slightly more viable solution than parabola.



I've installed Artix Linux and it's okay, just not that great, though still useful and better than regular Archlinux. I can't wait for Hyperbola GNU/Linux-libre installation media comes in OpenRC by default, which when that comes out, I'll use that, but for now, I'd trust a proprietary non-systemd system than a libre systemd system. I'm not willing to install Parabola GNU/Linux-libre and reconfigure everything from scratch to make it work with OpenRC because I already know that there's too much incompatible programs out there with OpenRC. Arch-OpenRC and Manjaro-OpenRC devs are working together to make Artix Linux, which deprecated older OpenRC operating systems. I'm afraid that at this pace, it'll take two months to two years for it to be perfected and become a standalone system no longer dependent on Archlinux as a leech, and if the people behind Hyperbola GNU/Linux-libre don't cooperate with Artix Linux, there won't be a proper OpenRC operating system.


 >>/991/
Until DNScrypt-proxy works with OpenRC, it's junk.

 >>/1019/

# pacstrap /mnt base-openrc

will install the sets for openrc on parabola from a base instalation. Several daemons and packages that I usually use don't have openrc init scripts to install from the repo or just don't work when called. 

I feel that source based distributions, even though they are harder/more work to configure and maintain, are the way to go for security.

Gentoo is the way to go although the recently publicized Source Mage  >>/tech/11021/ seems worth looking into. I've never tried Source Mage but it looks interesting. Linux from scratch is the final frontier for me. I highly distrust Parabola/systemd but I still use it on a desktop and on two servers, I have too much homework keeping me busy for critical infrastructure, like my clearnet web and mail servers, to go offline for days during a wipe and reinstall.  I have two installations of parabola-openrc and one installation of Gentoo.

OpenBSD and compiling from the ports tree is the next best option. Howver I'm using pkg_add for most packages currently and I haven't worked on a proper pf firewall to emulate endwall.sh as of yet, although this is a near term project, once I get my homework load under control.



 >>/1021/
tor doesn't work as intended on my Artix linux. OpenRC is going through some shit and I don't get what the people behind Parabola are doing in response to that while some people in Hyperbola (that are also Parabola devs) are seeking to make a stable, nonsystemd OS that might be truly independent from Archlinux entirely. I also have non free software on this machine so I'm forced to not use FSF approved OSes

 >>/1021/
I would say that crux, void linux and alpine linux are still sort of niche enough to be considered. I'm just too lazy to get off of pacman based packages and if I'm going full source compiling, I need a nonshit functional but libre computer which is probably going to be $3k or something else outrageous.

 >>/1026/
Tor sort of works now but there's no official Tor-OpenRC script besides the deprecated AUR version of that script. Also, UseEntryGuardsAsDirGuards is deprecated, Endwall might need to update his endtorrc file.

 >>/1028/
Yeah I noticed this a while ago and updated the file in endconf.git but forgot to copy it to the rest of the repo locations. Should be updated now.  I guess the whole idea is that there is a best way to do something, (Tor settings for instance), so lets find that best way and spread it.

I've been off of the ball for a while though. For instance I noticed recently that xtrac-ytpl.sh has stopped working.  I'll look at this next weekend, but I've got homework up the wazoo.  

I strongly believe that binary package based distributions are not the way to go for security.  You're trusting the packager or the packaging team not to insert their own backdoor or malware, and you have no way to check if that has happened.  Everything running on a secure computer has to have been compiled from source that is resident on your computer.  That way if you suspect that something is wrong, you can at least check. I don't have the time or the expertise to do this but there are enough computer security experts out there that will, and will hopefully raise a red flag in a blog post, or in an article, or publicize it in a bug tracker.  Right now, by using parabola (debian, ubuntu,mint,fedora,etc) , I'm trusting the packager that they don't work for an Intelligence agency of some small European country, or for a hacking team operating out of Russia. If they get caught (unlikely) they can just change their fake name and move on to the next distribution of linux (if they're not already doing it to the packages there as well).   

I generally fell off of the wagon when I realized that my computer hardware and operating system were a major point of unreliability, and the probable source of my leak and privacy issues.  

Binary package based distributions are a good place to start for someone learning to use GNU/Linux, but they're not the place to be for secure / private systems.   Those are just my opinions, I'm not an expert in computer security, but by talking about it we'll get to the bottom of this eventually.

About security vulnerabilities on systemd:
https://www.scientificlinux.org/category/sl-errata/slsa-20162610-1/
https://www.phoronix.com/scan.php?page=news_item&px=Systemd-230-FBDEV-Woe

Beware of the combination with Wayland. Also systemd is not the only problem, Avahi has been a problem for a while.


Interesting talk about OpenBSD security at Chaos Computing Club Congress 36. 

A systematic evaluation of OpenBSD's mitigations 

https://media.ccc.de/v/36c3-10519-a_systematic_evaluation_of_openbsd_s_mitigations

https://isopenbsdsecu.re/

"Many times I've heard 'This is fixed in the last Linux kernel, and in OpenBSD 3.2.'" – Michael Warren Lucas

You either want Qubes OS, OpenBSD, or TAILS. Qubes OS would better suit for a desktop use, especially with faster graphics and more packages.

You probably want OpenBSD for a secure-by-default server, that you would update every 6 months, provided that parallelism isn't what you need most.

TAILS is useful as a desktop OS again, if you're an activist. It's what I'm using right now.

Sure, Fedora or Ubuntu would be more secure than Windows. Keep in mind that Fedora is maintained by Red Hat (NSA) and Ubuntu is maintained by Canonical (Five Eyes, GCHQ).

I don't trust any other "security-focused" distro because I don't see why it would be more secure than Debian or RHEL, and I don't see how they are innovative, either.

How does one install Gentoo© without fucking it up multiple times and or taking multiple hours to do so? 
Seems like a very steep learning curve, anywhere I should start reading to actually learn how to into gentoo?

Anon, how secure is an untouched Linux (Mint for example), despite possible integrated security flaws? I am relatively new to Linux and overwhelmed by hardening a system although I found some good hints in this bread. But I am afraid to tear holes in my system. Where do I start learning about Linux security and Linux in general? Do I really have to read a 400p handbook about Linux file system etc? ATM I am using Linux Mint, but looking for a non-systemd distro.








When it comes to the desktop model of computing, Linux and BSD are not as secure as you think:

https://madaidans-insecurities.github.io/linux.html
https://madaidans-insecurities.github.io/openbsd.html

Some valid points raised there. If security is paramount, use Qubes OS. Alternatively, use ChromiumOS with all telemetry disabled and enjoy bottoming for Big G.


Post(s) action:


Moderation Help
Scope:
Duration: Days

Ban Type:


86 replies | 6 file
New Reply on thread #37
Max 20 files0 B total