What would be your distro of choice if you take the security with ease as the top priority
from tiz@lemmy.ml to linux@lemmy.ml on 08 Oct 10:07
https://lemmy.ml/post/37245932
from tiz@lemmy.ml to linux@lemmy.ml on 08 Oct 10:07
https://lemmy.ml/post/37245932
With the recent windows 10 EoL news, I was able to move my dad over to Linux mint. But he does a lot of finance stuff. Long ago, Linux had a belief that desktop Linux are not the primary target for crackers but I don’t believe that true anymore since it’s getting significantly popular lately like Europe government migration over to Linux and Libreoffice.
My question would be , given my dad is just as careful on Linux as he has been on windows, would it be fine to do finance like banking and trading (not the fastest kind )?
If not, what would be your distro of choice for that? Even browsers (I installed Firefox and Edge from Microsoft website deb file)
threaded - newest
PureOS might be one, though it’s maintained by an American computer corporation.
I think most Linux distros will be fine. As of today desktop marketshare is still small, the governments mostly work within custom business applications. And to this date Linux malware and viruses for the desktop are practically unheard of. The common attacks are against the browsers, not the underlying operating system (so do timely updates and install an adblocker) or we’d expect phishing or phone scams and that’s against the human in front of the computer, again not the operating system. That makes me say they’re about all alright. Of course they’re not all equal. Immutable distros and sandboxing will help here. But the real deal is other countermeasures, like be aware how phishing works and try not to mix online banking and pirating games from shady websites. That belongs on separate user accounts or even installed operating systems. And use password managers, 2 factor authentication and these things. (And don’t use Edge, or some browser from some random third-party repository.)
This is dangerously false.
edit: I’m sorry to see I have disturbed a few people here, downvoting the truth without a comment. Explains a lot of contemporary politics, I think.
Can I get some list or a reference to educate myself? As far as I know it still holds true. There’s rootkits, a lot of old stuff and exploits of webservers or embedded devices, supply chain attacks towards developers and the one day the Mint ISO file got compromised. But I’m completely unaware of desktop computer malware with high risk or actually spreading?! And the list on Wikipedia seems to confirm what i said…
Okay, let’s assume for fun that there’s highly developed Linux malware that exclusively infects servers and leaves desktops alone. What exactly is a server? Is it a server as soon as a web server service is running? A DNS service? An SMTP service? Some of these are also included with Linux desktops.
But that’s not the point. There’s no specific “Linux server malware”. There’s Linux malware. It targets the Linux kernel (current data point), not any web stuff.
For example it’s something that has an Apache webserver installed and that Apache is accessible from outside… So the Apache exploit can do something. Do you have both conditions met on your laptop/desktop computer? I’m pretty sure that won’t be the case, and that’s the difference here. And yes, that’s specific.
Let me repeat my last paragraph, as you seem to have stopped reading after the first question mark:
You’re wrong. How would an Apache exploit “hack” your Steam or online banking app? That’s just not possible.
How would something that exploits the default password on a router infect my machine with a different password?
Malware uses specific attack vectors and specific vulnerabilities.
The “specific vulnerabilities” are usually in the Linux kernel, quite present on every single Linux system. Please follow the link I posted above. This is not about Apache or any other arbitrary user-facing software.
Thanks for the link. But that’s not a vulnerability or malware. It’s academic research how to hide malicious syscalls. But it can’t infect anyone’s computer. And there isn’t any vulnerability to let it in.
The RingReaper malware is literally a malware, using known vulnerabilities in the Linux kernel…?!
I’m sorry. Most I can find about “RingReaper” is that single blog post or people who rephrased it into their own articles. There seems to be zero information on how it spreads through the internet? And if anyone contracted RingReaper. And I can’t even discern how that’d get on someone’s computer unless they install it themselves (which is a form of malware, though not very pronounced on linux due to the distributions and central package repositories). There are no other methods highlighted in the post. And it can’t do privilege escalation either, just scan for other vulnerabilities. So is this a thing in reality and how can I find out? It seems like valid research to me, but I can’t see how it’s more than that… What I mean is, I can see how someone put the word “malware” in the title. But that in itself doesn’t really threaten my (or OP’s dad’s) computer.
It is one of several things in reality. Linux malware, spreading through the (mostly) same paths as Windows malware does, has been real for quite some time now.
Linux malware threatens Linux computers. It might be important to keep that in mind if you use Linux.
Can you explain how its mailware and spreads? The article doesn’t say anything except how it hides its calls.
Did you read the article? This Ringreaper thing is a method to hide something. It doesn’t have any means to infect a system. And it doesn’t really do anything except hide itself. It doesn’t delete your files, it doesn’t steal your passwords… It doesn’t spread… It’s not really what you think it is.
Edit: And congratulations for going back and appending your first comment with the wild claim you own the truth. I’m pretty sure people here downvote you because there’s almost no truth in what you spread here. I’d be willing to listen, but you don’t have any example to back it up. Instead you ramble on how servers are supposed to be desktop computers and attacks target the kernel instead of userspace applications… None of that is true. Sorry I’m not deliberately trying to be mean or hostile. But that’s how it is.
This is dangerously unspecific.
linuxsecurity.com/…/ringreaper-linux-malware
Thank you!
I add this overview article www.geeksforgeeks.org/…/what-is-linux-malware/
I don’t think OP’s dad will host a misconfigured cloud service on their computer or set an insecure password, enable ssh and then also open a port in the router. Most attacks on that list are specific to how internet servers are set up. And well, insecure old embedded devices. And we in fact have those systems targeted regularly. My servers gets bombarded with malicious traffic trying to get in.
Yes. That is part of the insight. But the auto upgrade is a good practice for Desktop PCs, too. And the article shows, that there are vectors and counter measures. Root kits are known for ages.
Sure. We get security vulnerabilities in Chrome and Firefox all the time. Sometimes the libraries handling images are vulnerable and that’s a big issue. And zero-days are a small fraction of actual attacks, most likely you’re getting hacked because of old, vulnerable software. So updates are the first priority. And backups is something people also frequently forget to set up.
Good point. To get back to the original question, I wouldn’t change the distro unless they are known to be slow with security updates. Anything debian and ubuntu based should work just fine.
I guess the problem is not “the truth” but a claim without sources combined with a short communication style for a really complex matter.
Even the link you posted just reporte of one malware instead of the current state or perception of the problem. Like a general threat assessment instead of one incident.
OpenBSD. No Linux, but much more secure. And yes, there is quite some amount of Linux-specific malware around these days.
True, but my issue with OpenBSD is that the performance is really lacking in terms of desktop smoothness. It feels like sub 60 fps compared the smoothness of Linux and FreeBSD.
I hope it’s just a current driver incompatibility and not related to their hardening. Will try again once 7.8 releases.
OpenBSD gets SMP improvements all the time, so yes, chances are that 7.8 will be even snappier. For banking, however, desktop smoothness would not be my primary concern.
Ah now it makes sense why you are spamming the Ring reaper. Still needs an exploit to get it on your machine. BSD has way less hardware support then Linux.
The precise amount of hardware support of an operating system largely depends on your hardware. For example, iOS runs on iPhones while Linux does not. Does iOS have greater hardware support now?
Frankly, there is not one piece of hardware in my household that wouldn’t work with OpenBSD. I’m sure I could say the same about Linux. And you.
Maybe Secureblue?
That also comes with its own hardened browser based on GrapheneOS’s.
And if you don’t go with Secureblue and its browser, I’d recommend using a browser Chromium based, probably Brave. I know that’s a controversial choice, but in terms of security and ad blocking, it’s one of the better options. And disable JIT for V8.
First time hearing about Secureblue. And it sounds great. Though their motivation is quite welcome to see, I’m unsure if it will be actively maintained for a long time. It’s quite young project.
Top choice regarding security? Qubes OS. But that’s not just a distro.
this is the first time knowing the Qubes OS. and upon researching on wikipedia, it’s meant to be used with multiple OSes for different tasks…? wow
It essentially is multiple OSes, one host and plethora of separate virtual machines that only communicate what they were designed to communicate.
This way pretty much nothing can get access to userspace.
if you’re looking for something with the most security, then Qubes. It’s heavy, it’s slow, but good luck to anyone looking to break into that system.
Bit of a learning curve and a bit to wrap your head around it but I would tell him to think of it like you have access to a bunch of individual computers that don’t talk to each other but you control all of them. So he could have a Qube for casual web browsing, could have a Qube for work, and another Qube for financial stuff. all independent of each other. IF something were to happen (malware, trojan, whatever) just simply close that qube window and spin up another.
OpenSUSE is big on the security and usability front. None of the services you install activate by themselves. Firewall active by default. The first user doesn’t get access to every group under the sun after installation.
And everything can be controlled through GUI tools. But it doesn’t throw a fit when you’ve done something yourself through the CLI.
Also SELinux by default now instead of AppArmor. It can be a pain but it works. I.e. files dumped into a SAMBA share aren’t autoshared unless they have the samba SELinux setting applied, etc
Education + Up to date and highly popular distro with tons of contributors + good track record regarding security
Between Debian and AlmaLinux, depending on the exact use case.
Security is the output of removing vulnerabilities and insecure configs
So, the real answer is: what’s the minimal software you need and the most regularly updated.
So, my choice is Arch.
Yep, installation takes a little longer and needs more technical skills, but only install the bits you need (also learn a little more this way) and then updates are tiny and can be done as often as you’re comfortable with.
Whatever you choose, it will break / die / be deleted or corrupted one day, so always backup your data separately than the OS (separate drive partitions can help) and you’re done.