Hey all - Putting together a reference and would love input from the community on this bit. With regard to security and privacy, which distro(s) would you recommend for the greatest protection? Ease of use is a secondary concern here so if you have any insight on what I have listed here or any recommendations I'd appreciate it! Edit: Threat model: https://www.wilderssecurity.com/threads/what-is-your-threat-model.390300/ What I have so far: Best Qubes-Whonix Better Qubes Whonix Good Alpine Linux Arch (w/grsecurity & modifications) Debian (w/grsecurity & modifications) Hardened Gentoo Slackware Tails* Promising Subgraph OS
If I may use a Snatch reference: Protection from what? Ze Germans? So yes, protection from what. What is your objective? Mrk
@Mrkvonic - I'm glad you asked; I should have included this in the original post. My threat model:https://www.wilderssecurity.com/threads/what-is-your-threat-model.390300/ Danke schön!
The level of paranoia from some members in this forum is excessive. Just use whatever linux distro you like, don't click on random email links, use an ad blocker or script blocker, if the latter choice, block no more than iframes and 3rd-party scripts, and if you really want to take things a step further, sandbox the browser and email client in firejail. The only threats I perceive are those floating around the Internet typically embedded in ads or phising emails.
Haha, excess is the idea here! I'm putting a reference together for the paranoid since most information out there seems to be woefully out of date and inaccurate. Point taken though; overkill for 99% of people (thankfully).
But that does not make sense. You cannot satisfy paranoia with logic. The whole idea of paranoia is that you have a heightened level of fear DESPITE contrary evidence Mrk
Although I agree with 'excessive' . But the technology behind it is interesting and still, even if you don't actually need the amount of security, you can learn alot about linux in the process. There are many things on a computer you don't actually need, but simply the knowledge about it and know how to configure it, is worth while to go through these setups imo. I don't use alot of security on my linux distro (except for a firewall and firejail). Maybe it's just plain curiousity to know and understand security and when / how to apply it. And if you understand one aspect of computing then other idea's or applications become easier to understand too (maybe).
Qubes really drives me nuts. I cant get any of the TemplateVMs to update over a proxyVM (vpn), I cant get the clipboard transfer feature to work, for some reason it often hangs on shutdown (but its great on bootup), I know of no way to use a keyfile to unlock the luks partition, and frankly I dont like XFCE's window manager very much I really want to like it, and I think I'll try again with v. 4, but despite having Qubes installed I've just stuck with my heavily modified Arch install. I think it is important to note to people that Qubes is very hardware dependent and it can be quite a bit more stubborn and foreign in ways than your average Linux distro (it is after all a microkernel Xen distribution). Not a reason to not use it, but you dont want people to give up on security because they get the wrong idea about its difficulty. Ive got Apparmor/firejail/vm usage all over Arch and its basically painless, I know Debian can be setup pretty solid with little effort, Fedora as well, etc. So I guess as a final note, I might suggest for your guide that you elaborate on what practical impediments one might face with each given option. For example: Qubes picky on hardware, Arch needing linux-grsec recompiled if you wish to use apparmor, Debian having fairly light package hardening (FullRELRO, canary, PIE, etc), Fedora having great package hardening and SELinux but no easy grsecurity kernel option, etc etc.
Solid input, thanks! This machine lacks the VT-x support necessary for Qubes so I haven't had a chance to play with it just yet but I'm certainly itching to. I feel a bit better knowing that I'm not missing too much just yet, though
Have you changed the NetVM in the TemplateVM's to the proxyVM? For clipboard: https://www.qubes-os.org/doc/copy-paste/ May not be very helpful, but could be so I thought post it anyway. Regarding shutdown, I noticed when I turn off VM's first it never hangs on shutdown, but if I leave a lot of them on, it hangs regularly. I'm not a huge fan of XFCE either, but since Dom0 was upgraded to Fedora23, if you want to use KDE now you're stuck with v5 which is **** compared to v4. So I rather use XFCE than KDE 5. You can use Qubes without VT-x, if you don't have VT-x you can't use HVM's.
Ha! I must have been out of it when I read the system requirements some time ago; thanks for pointing that out! Looks like I was reading the 4.x requirements (which must be there in anticipation of a future release?). You just made my day, @BoerenkoolMetWorst.
Yes the hardware requirements for 4.0 are a lot stricter because they plan to ditch Paravirtualization in favor of Hardware Virtualization to improve security: https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/
As a poster has already informed, VT-x isnt required to run Qubes. Qubes 4 will have stricter requirements, but will have security advantages. I am concerned that more exposure to hardware will allow exploits to profile hardware far more accurately than the paravirtualization approach currently allows, but we'll see I guess... Qubes is definitely worth checking out, and it is definitely some serious security- I dont want to give the impression that its subpar, broken by design, or not worth it. I guess I just wanted to point out it does currently have its own problems, its a completely different approach than most people are used to in terms of security, and it is still changing in big ways with each release. You might just want to note such things for other users to see so they dont get in over their heads or frustrated. Most Linux distros- for now- with a user who places a reasonable effort into security will be quite safe from threats and inherently have more privacy (than Windows/Mac). How much will this change if Rule 41 gets massively deployed by the FBI, hackers turn their sights on Linux, I cant say- arguments never end about the "turn their sights on Linux" argument, and we dont know how far the .gov will go with its crap. Yeah, I made double sure I set all the TemplateVMs to use the ProxyVM as the NetVM. Its pretty easy to follow in theory, and if I switch the NetVM to be sys-net, the TemplateVM will update fine. Even sys-firewall it refuses to upgrade. There is one exception- whonix. The whonix TemplateVMs will update connected to my VPN ProxyVM (where the proxyVM uses sys-firewall as its netvm, with sys-firewall using sys-net). It seems to be some issue with the proxying that Qubes does, but I havent had the chance to troubleshoot. It doesnt help that I get no error output other than each TemplateVM saying it cant reach its respective update server. BTW, this happens both using "Update VM" in the dom0 vm manager, as well as manually booting the TemplateVM, launching a terminal, and manually doing "apt-get update" (for the Debian8 templateVM), etc. In terms of the hanging problem, yeah, I noticed too that shutting down the VMs before shutting down helps reduce the frequency of shutdown hangs, but unfortunately it doesnt completely eliminate them for me. Last 2 times I've shutdown, I had all TemplateVMs, my ProxyVM, all AppVMs, and sys-whonix shutdown- still froze. I like everything about XFCE except the window manager. In fact, my Arch install is basically XFCE with Openbox. I really wish they'd stayed with KDE 4, but I do understand the reason for the switch. Perhaps when KDE 5 gets stable, KDE devs will finally stop rewriting the desktop environment. I dont have high hopes for this...
Thanks for your insights, @Anonfame1, I appreciate you weighing in. I've been playing with Qubes for the past few days (thanks again, @BoerenkoolMetWorst!) and I definitely see what you mean. Still trying to get the networking to cooperate with the WIFi (hopefully it's just a proprietary driver issue; only making a half-assed effort at troubleshooting rn), among other things, but there's clearly a learning curve that the uninitiated will struggle with. Getting a tutorial and configuration walkthrough situated will probably be a longer-term project (which raises issues on its own.) That said, I'm surprised by how [relatively] intuitive the thing is! I guess I was expecting much worse and a lot of CLI work but they've obviously put a lot of effort into making it user friendly. Once I shake some of the Debian muscle memory and get my head around Qubes' idiosyncrasies I think I'll make this my primary OS; it's already relieving some of that paranoid anxiety and the sense of control is very nice. To your other point, I'd actually love to see more serious and widespread pentesting on Linux and Qubes. I'm fearful that those with a serious need for security might be placing more trust than is warranted in their system. I'm of the opinion that the comfort we take in Linux's open-source nature leads to a dangerous diffusion of responsibility i.e. I worry that that provides a false sense of security moreso than sincere security itself. Unknown unknowns and all that. I might just have trust issues, though.
For sure. My main issues are bugs- not systemic problems: updating dom0 and fedora/debian/sys-whonix/anon-whonix templateVMs is a bit of a pain, the proxyVM issues, the shutdown hang, some display bugs with the VM manager, etc. The layout of TemplateVMs, resulting AppVMs, DispVMs, ProxyVMs, user-defined domains, the ease of switching NetVMs or disabling a domain from having any network access... all of this stuff is first rate and worth dealing with the BS. No, I agree with this. I was one of these people. "Im on Linux- what could go wrong?" Really, I mean I never got hit by malware or spied on (that I know of), so I can see why this takes hold of the Linux community. Once getting more scope on security and seeing that Linux could fairly simply be much much more robust, I converted an Arch install that was mainly just lean and mean simple into a multi-layered security-focused install. It still has the same apps (plus a few apps/utilities like LUKS, KVM, firejail, apparmor, etc) and layout- I just have to do a few extra things for maintenance. As most of us here realize, its not too hard overall On that front, I think this applies to Qubes as well. Im sure the NSA/FBI/whoever has some Xen exploits sitting around- no way in hell theyd let just let that go. With current Qubes, I would think the TemplateVMs having various hardening done especially with respect to making more difficult an attack on Xen would be a very good idea. However, with Qubes moving to replace paravirtualization in v4, eliminated is Xen as an attack vector to break VM containment. While that presents (as another user here explained to me) a higher possibility of hardware profiling, the overall benefit seems to me worth the risk. I suspect v4 is going to be pretty awesome once they get the kinks worked out Anyways, good luck...
What security/privacy advantages does Slackware offer? It's the only on this list that I'm in the dark about. The developers also actively reply on the mailing list, so that's a good place to get help if you need it. Webinterface: https://groups.google.com/forum/#!forum/qubes-users I agree, open source doesn't mean automatically it is more secure. You still need pentesting and code review. However, the same goes for closed source, and backdoors are a lot easier to hide there. There is a dedicated thread for Qubes btw to prevent this thread from going too much off-topic: https://www.wilderssecurity.com/threads/qubes-os-thread.379918/
