TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)
I don’t understand… Your motivation for a secure operating system was from an incident where you were nearly social engineered? How will a “more secure” os help you with that?
More secure OSes limit what social engineering attacks can take place and what damage they can do.
OK, I’ll bite… How exactly?
often social eng attacks rely on a vulnerability as well e.g. getting your mark to open an Excel file that exploits a vulnerability in MS Office.
Sure, but if the compromise stays within its own app, like for a browser, sandboxing won’t help.
The bulk, and I mean like 95% of the compromises I see are normal employees clicking on things that “look legit”.
Excel is now wrapped in a browser. Discord, almost all work apps are all wrapped in a browser. So you can be completely locked down between apps like grapheneos, but if you are choosing to open links, no amount of sandboxing is going to save you.
This is why we deploy knowbe4 and proofpoint, cause people are a liabilities, even to themselves.
Clicking on things that look legit is a critical part of interaction with computers. Programs should not be installed unintentionally, so first and foremost Office Macros should not be enabled by default (and eventually Microsoft did disable them).
Recently I think the main avenue for malware is to send a PDF with a fake popup for an update, that links to a phishing site and prompts you to download an exe with malware. That kind of thing is a harder issue to solve, but at the very least an OS should probably not let that program update your BIOS.
One example is on GrapheneOS, programs can’t touch system files due to no root access, and they also can’t access data files for other programs.
Sure, but op chose to follow a link. You can be sandboxed to high heaven and still get pwned if you make choices like that. Discord is particularly rife with this.
Yes, but I never said you won’t get pwned. I said that it would limit how it could be done and what damage it could do.
For instance, if you click a link and download something shitty, it can’t just steal your auth tokens on GrapheneOS because all of that is isolated to only the program that uses them. Meanwhile on Windows/Linux there are tons of Python scripts that do that. It would take extra steps on GrapheneOS for someone to use social engineering to hack someone’s Discord/Bank/etc account, which could be enough to prevent it for some people.
How is using disposable VMs in Qubes not going to help?
You aren’t going to like this:
Because if you got yourself pwned by a malicious link in discord, your account highjacked, etc., then having discord in a vm, container, chroot, jail, or whatever won’t help you on the server-side api abuse that got you pwned. In this case, you yourself should have been more vigilant.
From your article, and with respect, I think its nice you’re thinking more about security, but you’re mixing up quite a few concepts, and you should probably make smaller moves toward security that you actually understand, instead of going all-in on qubes with only a vague concept of the difference between sandboxing and paravirtualization.
Slightly harsh but that is the truth of it. Improving the walls and doors will help, but if the guard on the door can be convinced to admit an uninvited guest then the physical security will have much harder time protecting your data. The weakest part of any security system is the people.
Yep.
I was hoping not to sound too harsh, I’ll have to work on that.
As long as it’s factual harsh is even welcome.
The weakest part of any security system is the people.
Well, maybe not any, but most ;D
Server-side API? I was talking about avoiding to get one’s entire OS hijacked. The qube with the browser might get compromised, but dom0 would stay safely offline, that’s my ideal, not the utopic notion of never possibly getting attacked and hacked.
As long as you don’t explain what concepts am I mixing up, I don’t see the respect, but as a random person on the Internet, feel free to troll, I’ll move on.
i have this well guarded city with big walls and tough gates. oh hey look someone is gifting me a big wooden horse, send them in! edit: thought i was funny but it sounds mean now. but i know how you feel, i got pwned once like 10y ago and they sent spam from my skype…
I think Secureblue + GrapheneOS are the most reasonable choices imo. Qubes is highly hardware intensive for what it does, it will frustrate most people.
It works decently with just 8 GB RAM, and I’m going to upgrade the RAM.
Secureblue is based on sandboxing rather than paravirtualization, and I’m not sure that’s secure enough for me.
I do agree it’s likely more secure, but the tradeoff for common use cases (gaming, development) is steep. I could see using it solely for browsing and messaging people
You can also just slot secure blue into a qube I believe
Well, I’m not sure why they didn’t include Secureblue qubes…
I don’t do gaming or intensive development, so it’s fine for me.
Not only is it resource‑intensive, but Qubes also lacks Secure Boot and Wayland support. Secure Boot is critical to ensure the OS has not been tampered with, and Wayland is required to isolate individual apps running within a single VM from capturing input intended for other apps. For an average user, I would recommend SecureBlue rather than Qubes.
Qubes OS has an Anti-Evil Maid option that is far, far better than signed boot.
AppVMs are isolated in Qubes even without the help of Wayland
I find it odd that the author didn’t mention secureblue at all. I wonder why they didn’t consider that option?
I actually forgot to mention it, but I was going to say anyway that sandboxing I deem less ideal than paravirtualization
I don’t know anything about that but it sounds interesting. If you have any sources for further reading about sandboxing vs paravirtualization, I’d like to read up on it
Thanks, Ironclad and Gloire look interesting for a RISC-V system, gonna try out at some point alongside CheriBSD
Oh dang!
I just posted
The Ironclad kernel intrigues
before reading other replies, presuming no one else would have mentioned it.
Well done Jay. :)
[Edit: Oh, I just got down to the PS in the original article. Heh. Ironclad mentioned there too. XD Good to see I’m not the one raising it first.]
Another step up is the confidential computing project. Requires hardware that supports it though, which sucks, but takes the virtual hardware concept and adds multi key memory encryption on top.
Remember though security without a threat model is just paranoia, so what level of hoops and investment you need really depends on what your threats actually look like.
I personally love containers and Macsec. It limits most of my concerns. I want to mess with confidential containers next, which is to say lightweight VMs in containers with memory encryption set, but thats all future to me. The irony is that I then I have to figure out attestation better for those machines since from the host they are black boxes.
The Ironclad kernel intrigues.
I am excited to see Chimera Linux mature because iy seems like a distro which prioritizes a simple but modern software stack.
Features of Chimera that I like include:
- Not run by fascists
- Not SystemD (dinit)
- Not GNU coreutils (BSD utils)
- Not glibc (musl)
- Not jemalloc (mimalloc)
- Proper build system, not just Bash scripts in a trenchcoat
What I would like:
- MAC (SELinux)
- Switch to Fish over Bash (because it is a much lighter codebase)
- Switch from mimalloc to hardened_malloc (or mimalloc built with secure flag). Sadly hardened_malloc is only x64 or aarch64
- Hardened sysctl kernel policy
Chimera is a nice alternative to Alpine, have you thought of sending this feedback to Chimera’s dev?
I thought about it (and I might still) but the project is still in beta and implementing sysctl and MAC would slow everything down development-wise. Switching to Fish would be easy and cool though.
What did clicking on the cloudflare button actually do? As far as I know just clicking on a link shouldn’t give you malware.
