Is "Linux" homecalling less than Windows?

Discussion in 'privacy problems' started by zakazak, Jul 23, 2015.

  1. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Heyho, I am into the whole malware / anti-malware and privacy genre for quite some time. Starting as a script kiddie who played around with trojans / pw-stealers and others, I learned how those things work and how people try to use them against you. It helped me narrowing down my system to the lightweight but essential security tools that are needed. HOWEVER:

    When it comes to homecalling and spying of big companies I feel like I am still an open book. Yes I use Android (Nexus 6 with DirtyUnicorns ROM + Kernel, with a heavily modified security setup: http://forum.xda-developers.com/nexus-6/general/guide-little-guide-to-security-privacy-t3042460 ) and yes, google probably has all my data just from my phone (altough I trust the ROM developers to fix that as much as possible) but what about my laptop?

    I use windows 8.1 with ESET Firewall allowing only connections out/in that I strictly allow. I tried to deny most microsoft request (as long as it doesn't break windows update or other essential functions) but every day more and more creepy connection request come up from microsoft/windows. That makes it a pain in the ass to configure the firewall without breaking core functions.

    So I thought: Would any Linux distro give me less troubles in terms of privacy and creepy homecalling connection requests? But then I also wonder if it even makes any changes in times where you use facebook, gmail, android,... ?

    Thanks !
     
  2. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Yes most distros only call home for updates and some other minor things afaik. I recommend Ubuntu (with the Amazon program uninstalled and online dash searching disabled). Use Gmail through a client (or not at all) and you can keep one browser just for facebook and such, or install Ghostery/self-destructing cookies.
     
  3. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    I would rather try debian or arch linux.. IF I make the switch at all.
    I have to say that windows is still the best performing and most stable OS I have tried so far. And it has the best apps/tools/features for working. Ubuntu is too bloated/slow in my opinion but that really is another discussion and I don't want to bring up any harsh feelings here at windows vs. linux ;P

    I also read that there are modified version of debian/arch linux which comes with different settings and modified apps for more security/privacy ?
    How do you know that the distro only calls home for updates and not for marketing/selling profit?
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I'm wondering if your focus on a single technology/control or set of controls is perhaps distracting you from your objectives?

    It may be that you need to consider more operational security and compartmentalisation. For example, having multiple personas, and running virtual machines you can revert. Sandboxing and RBAC.

    My impression is that, indeed, outgoing firewall rules are extremely time-consuming and ultimately not fully effective (because you cannot be sure what is going up/down from apparently legitimate connections you have approved).

    At least with Linux, you have the possibility of preventing the OS from calling out in the first place. And, correct me if I'm wrong, the kernel does not do so of itself, all that functionality is in the penumbra that the distros give you. And clearly, you can pick your distro to avoid most of the sillies as you've said. IOW, a very lightweight host, plus, if you want, compartmentalised VMs.

    For both pendrive and VM purposes, there are schemes by which you can update the OS (for security updates/installation of packages) but not do any browsing etc, and then save it. Then, when you do browsing or other user activity, you can revert every time so you know the OS is clean as you can make it. Plus the pendrives and VMs only get the data access you want them to.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    This :thumb:

    Let's say that I'm working in a VM that reaches the Internet via some particular mix of VPNs and Tor, as some persona (e.g., Mirimir). And lets say that it doesn't 1) contain any information about my true name, and its beings and doings, and 2) also doesn't contain any information about my other personas.

    If that's so, it can only reveal stuff about Mirimir. I would like some assurance that it wasn't sending my private GnuPG keys and other private stuff to adversaries. Otherwise, meh.

    There is some risk that the host system is sharing stuff from VMs with adversaries. But it also doesn't contain any information about my true name, except through the money trail to its hardware serial numbers, and also through its ISP-assigned IP address. If I were especially concerned, I could nuke its network stack, and only access the Internet through a bridged pfSense VM. I could also just keep all of my private stuff on an air-gapped box.
     
  6. LMHmedchem

    LMHmedchem Registered Member

    Joined:
    Feb 8, 2012
    Posts:
    29
    And also this.
    The most effective way to keep data safe is to not have it on the internet in the first place.

    It's my understanding that since windows 7, all network connections are regulated by a windows api. I would think that this would make it essentially impossible to stop windows programs from accessing the internet, no matter how a software firewall is configured. It would be necessary to have a hardware firewall to stop all unwanted traffic. Please let me know if this is not the case. Even with xp, I stopped using the Norton firewall because even though I had specific rules blocking Microsoft Office from making connections, I could sit and watch my packet sniffer and see the data going back and forth between office apps and Microsoft. There must have been some understanding between Norton and Microsoft that allowed Microsoft apps to connect in spite of firewall rules. You may or may not be concerned about connections to Microsoft, but when MS keeps the back door nailed open they aren't doing much to prevent others from using it as well.

    LMHmedchem
     
  7. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    So you want privacy, but use Facebook, Google, and have an Android phone? "OMG", literally.

    The first thing you gotta do is ditch those companies. It doesn't matter if you use an e-Mail client, or that you virtualize your Linux system, or even if you use a VPN from now on: your data will still go through Facebook and Google servers, and then onto their 3rd party buyers (including the NSA, FBI, etc). And a VPN won't help either, they know who you are, you used their services without VPN/Tor before and using now won't help, at least not until you're being used by those companies (yes, because you don't use them; THEY use you).

    After that is done, it is recommended to pick a distro that doesn't try to hold your hands, because they usually have a ton of useless things and in many cases they attack your privacy. One example is Linux Mint which comes with Flash Player installed. Flash is worse than 90% of the spyware out there, yet people insist in using it.

    My recomendation would be Arch, because it gives you a good balance between control and usability. Gentoo gives you the biggest control on Linux, but it can take 1 or 2 weeks just to compile KDE, for example. Arch is Gentoo already compiled.

    But don't start with Arch, start with something easier like Debian. Notice how I didn't recommend Ubuntu? That's because the skill level required to operate Ubuntu is bigger than to operate Debian, so start with a REAL good system that is maintained by good programmers.

    After that you might feel confortable to try openSUSE, or Debian Sid, or might actually try Arch. Just read the manual, the install instructions, and the most important: you have to UNDERSTAND what each command does and why they're there.

    After installation, Arch is way easier to maintain than Ubuntu, with the advantages that it is a system you built to yourself.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    My latest Windows is (and will remain) v7. In Windows 7, if I uncheck TCP/IPv4 and TCP/IPv6 in Local Area Connection properties, packet logging on the router shows no network traffic from that box. In Resource Monitor, I see only IPv4 and IPv6 broadcast traffic. Browsing, pinging 8.8.8.8, running Update, and trying to activate all fail.

    However, VMs bridged to the physical network adapter (pfSense, Whonix gateway, etc) have normal network connectivity. Indeed, I can create nested VPN chains using multiple pfSense VMs, and then route back to Windows through a host-only adapter.
    Yes, but a hardware firewall isn't necessary. A pfSense VM is a fine firewall, either on a separate box, perhaps as part of a VM chain, or as described above.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I do agree that smartphones are incompatible with privacy. However you lock down Android, or even replace it with Linux, the baseband aka radio aka modem owns the device, and it's owned by your cell provider. Its firmware is closed-source, so you have no clue what it can do. Some say that it can access the microphone, camera, etc -- even when the device is apparently powered down. So for privacy, you must keep it in a Faraday bag, powered down so it won't drain its battery trying to connect.
    That is true. But only if there are links to your past activity. Links include: 1) using the same machine and OS; 2) using the same Google, Facebook, Wilders, etc accounts; 3) interacting and communicating with the same people; and 4) having the same interests.

    If you create a new Linux workspace VM, and connect through a VPN service, you can create a Google account that's not linked to your old Google account(s). That is, it's pseudonymous. It's more securely pseudonymous if you create a nested VPN chain using pfSense VMs (or whatever) and connect your Linux VM(s) through that. However, your pseudonymity is hosed if you access old accounts, communicate with old friends, and so on. If you use Whonix via VPN(s) you can even be more or less anonymous.

    Creating pseudonymous Facebook accounts is nontrivial, however. Using VPNs and/or Tor triggers cellphone text authentication. And Facebook doesn't accept numbers from online text services, even paid ones. So you're stuck using a burner phone, and that's both expensive and tedious to keep unlinked.
    Yes, Debian is a good choice. Their repository is signed. However, they're quite conservative in stable (now jessie) about adding new versions of packages. So you'll need to build the latest Tor etc. And sometimes builds fail because of unmet dependencies. Sometimes you find what you need in backports. But sometimes you find that upgrading dependencies creates other problems. Anyway, sometimes it's easier to just use Ubuntu. But I use Ubuntu server, and then add minimal LXDE or XFCE.
     
  10. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    :thumb::thumb:
     
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    But that's not what I would call "usable" phone. I, for instance, have a very minimalistic cellphone which doesn't even have internet connection. The only game it has is sudoky hehehe. I don't do anything to it, just "leave it there". It's funny that sometimes my phone company tries to force updates to it, I just laugh at their faces because my phone can't even recognize the links that come through SMS.

    True, that's why it won't help to have Linux + VPN if he still insists in being tracked by Google and Facebook.

    But that's the thing, this is too much work, it's like a smoker trying to glue 3 filters into his/her cigarretes: it won't help, it will still harm you, and it's too much work. The best, of course, would be to stop smoking altogether, but it's been scientifically proven that "you must have it in your genes"; I don't think most people will stop smoking, and I don't think most people will stop using Facebook/Google/Twitter/Yahoo/Windows.
    So, why create a new Google account? I know it's hard to maintain a "double life", I don't see why OP would want to have his "normal" life and then pretend to be someone else while using Google/Facebook. If he ditches both of these nasty companies (and a bunch else) he can literaly be himself and still retain privacy, while not doing too much work at all. Nobody should be a slave of these companies.

    Are you sure? How would Facebook know you're behind a VPN?

    Then it's best not to create a Facebook account :D

    Interesting. For the time that I used Debian (around 6 years) I always noticed that they're constantly pushing security updates and bug fixes into the Stable branch, even if it means uploading a new version of, say, Chromium or Iceweasel, that wasn't there before. If this is isn't the case with Tor than I think it's easier to just use a more up-to-date distro like Debian sid than backporting the software. Not everyone who needs privacy is a tech-savy user :p

    But I disagree with Ubuntu. Once a company loses my trust it probably will never gain it back. Canonical pushed a malicious feature into Ubuntu knowing that almost nobody would read the privacy statement of Dash, because Linux used to be free of these kinds of practices. Who knows what else is into that system.
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Care to elaborate? I had been running both distros and cannot confirm what you're saying.
     
  13. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Is this sarcasm? :p Or are you actually agreeing with me? hehehehe
     
  14. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Sure.

    On Debian, users get a more well tested system. 6 months is the time for a new Ubuntu release to come out, while 6 months is the time the Debian team freeze, test and de-bug the next-stable release. Not only that, but the development team on Debian is way more careful than those at Ubuntu. Ubuntu's team is known for breaking stuff, e.g. breaking the Kernel when they push a new Xorg; heck, they even broke the Kernel with a new Libreoffice release once, and if this is how they care for regular stuff that should come out as obvious if they actually tested their updates, who knows what the security stuff is doing that we don't know.

    Even the LTS releases of Ubuntu can be pure crap. Who never had a problem that said something about a "massive system problem" 2 seconds into booting the system? Not to mention problems with drivers installation, updates that break each other, programs not installing correctly...

    I've had less problems running Arch for almost 2 years than I had running Ubuntu for 6 minutes, and I'm not kidding. The only problem I encountered while using Arch was a non-critical bug in which Virtualbox was updated without it's hostmodules, but those were into the [testing] repo an could be easily installed. Contraire to what happened on Ubuntu once: after installing the proprietary NVIDIA drivers and rebooting, I was presented with tty1 because the developers forgot to mark the Kernel headers to be installed with the drivers. So good for a "newbie friendly" reputation ;)
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Thanks for your detailed answer. I can only say that I know quite some people running LTS releases for years without any problems. That a new Xorg broke the kernel happened just once several years ago as I recall (and Mint is using this as an excuse for not installing kernel updates by default - stupid!). I cannot comment on the Nvidia issue.

    That said, I think this can happen in every distro at times. But it's surely the exception rather than the rule. In my experience the LTS versions have been very stable and hassle-free. And regarding Arch: I'm also happy with it. But I know that (before I started using it) many users had massive problems when systemd was introduced and a lot of them reportedly had to install it anew. And, as another example, the transition from KDE4 to KF5 caused a lot of problems in the recent months. But okay - Arch as a rolling distro is certainly not comparable with Ubuntu or Debian.

    But I'm afraid we're in the wrong sub-forum here ;)
     
  16. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Yeah, this turned out to be a debate regarding distros themselves :p No problem, this also happens at times heheheh
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    No, it's not. Another path is using a small tablet with an external cell modem. Or just doing VoIP via WiFi.
    Same here. Old flip phone, with large buttons ;)
    It's not a "double life". In my case, it's a bunch of small slices of life, each with its own persona, that aren't readily linkable. Maybe OP might want to use Google and/or Facebook logins. Or whatever.
    I don't believe that it's possible to have much privacy that way. There are just too many links.
    I presume that they maintain databases of VPN and Tor exits.
    Yes, Debian devs do push security updates and bug fixes, and new versions of many packages. But there are some dead ends, where the latest package depends on some package that can't be upgraded without breaking other packages. Anyway, maybe I ought to use Sid in those cases.
     
  18. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    We are in agreement on lot of these things. I would also have recommended Debian and/or Arch, because that's what I use in my dualboot setup.

    I don't trust that comapny either. These are some of canonical's "selected third parties" with whom they may share your information:
    http://www.ubuntu.com/privacy-policy/third-parties

    I don't recall any other linux distribution that use the term "our selected third parties".

    Basically, I would never recommend Ubuntu to anyone. It's not trustworthy and no, it's not in any way more user-friendly than Debian. Maybe it's easier to install things like flash, google chrome and other such non-free stuffs in Ubuntu, but other than that there's no real difference.
     
  19. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Sorry I didn't answer to this thread for so long. First of all: Thanks for all replies !

    Yes I am using facebook & google (gmail, android with custom ROM but contacts sharing etc on). I don't plan on living without those and they are generally a data mining monster. But I could atleast stop my laptop OS (windows) stop from mining/sniffing even more data.

    I don't plan on using multiple VM's for multiple tasks. I could live with using microsoft products in a VM. But I want a OS and its software to be trustworthy enough for not needing such consequences. I could simply do all my work on windows and all privacy related stuff in a linux vm as well. But I thought a secure OS (e.g. arch) with trustworthy open source software is fine and hell of a better choice than windows.

    The big question for me atm is: Does the downsides of a linux distro justify the loss of the windows upsides ? E.g. software I NEED for working. The easy a simple setup where my QHD Multi-Touchscnreen-Monitor will work out of the box. Where I won't need to be afraid of every update or that I will enocunter bugs on my daily driver during a presentation. Especially when I am using facebook & gmail, the privacy upside of using linux instead of windows might not be that big compared to its downsides ?
     
  20. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I've been running Windows VMs for years (partly associated with development environments, where it's a pretty necessary thing) - and can affirm that it's a very good way to work from a productivity POV, especially from a snapshot and reversion perspective. What's more, it easily enables data partitioning - there's no way I want internet facing apps to have open access to my data stores (as they tend to by default). If your hardware is capable and memory friendly, running 3 or 4 VMs is perfectly feasible. Of course, that only works for non-gaming apps, but so be it. Gaming systems tend to punch all kinds of security holes in a system anyway.

    As far as the host is concerned, the main thing is to ensure that that is sacrosanct as you can make it - I haven't browsed or emailed from a real machine for years now, for example. I tend only to use the host for intensive, and personally generated content (not downloaded stuff). It's also hardened in various ways.

    The other thing I can recommend is pendrive linux, used for particular contexts. For example, you can set up a pendrive linux solely used for banking, and boot direct into that, running in ram only (pendrive removed). Browse to the site, do the business, Turn off. Utterly minimal exposure.

    Are you aware of the Qubes operating system?
     
  21. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    Yuo are on the righrt track. Yes, Windows has lots of functions, services calls home. It sends what kind of device you plug in your computer, default time service, certificate control, errors, you name it.

    GNU/Linux is not like that. I don't suggest Ubuntu since it sends your typings to the Canonical and shows you ads in dash. And i remember that it was connecting to the Canonical even after removing that function. I suggest you to install Debian stable instead. It doesn't come with propriatery binary firmwares (blob) by default which is good. On the arch side there is also Parabola GNU/Linux which is actually free Archlinux.

    On Debian side, there is no operating system level creepy connections at all. i suggest you to make installation using netinstall, because default Debian desktop comes with lots of stuff that you may not need. You can install your minimal desktop choice after the base install. On debian minimal gnome install (gnome-core) comes with geolocation and time sync. disabled by default, but it may check updates automatically using the mirros that you set at installation, i am not sure if it is the case with minimal gnome. It uses Iceweasel esr version, and they remove the non-free functions that comes with it like drm stuff (on future releases) or whatever it is. But you may want to disable google safe browsing function and edit about:config for further privacy measurement with noscript and request policy addons.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.