Great questions! Iāll try to answer as best I can.
Is Qubes OS not ready yet for your intended workflow/usage? Or are you not ready to make the complete switch (yet)?
Qubes OS has a very steep learning curve due to its difficult usability, so the answer would be ābothā. I am willing to tackle and overcome, but Iām not ready to put in that work yet, if at all.
Unfortunately, in almost all cases, increased security/privacy is achieved through the loss of convenience. Therefore, you should ask yourself what the minimum level of security/privacy is that you absolutely require/need. Howās your threat model defined (if at all)?
I have a really funny story regarding threat models. When I first got into privacy 2-3 years ago, I had the goal of getting as deep as I could (the āstrictest threat model possibleā) and work backwards to find out what I was willing to allow. I succeeded, but because I had gone too deep before I learned what a threat model was, I never made a clear threat model. I have a āsubconsciousā threat model. I have, over the past week, started working on answering the classic questions. I am trying to protect against āevilā corporations, and such, I must also protect myself against some low level government threats. My threat model āphilosophyā is: I will not use a piece of software if it actively goes against me in terms of privacy. Windows, for example, is a pain to try to use while maintaining privacy.
You are the third person to recommend SecureBlue (Iāve been keeping track), and since it is a āFedora Atomic spinā (Fedora Atomic as well as Atomic distros in general were also recommended three times each), I believe I will switch to it to see how it is. By the way, I love the mention of GrapheneOS, since that will eventually (finances be blessed) be my main mobile OS for the rest of my life. I wish there was a true āLinux alternative to GrapheneOSā.
Iāve looked into Whonix in the past, as Qubes OS is one of the host operating systems for it. I plan to try Whonix when they release their own independent ISO that is under works right now. Thank you for your suggestion!
If I would have to distill your philosophy, it would be something like ābe protected from attacks targeted towards low(er) hanging fruitā. Would that be fair?
It may help for me to elaborate a bit. My number one enemy (like most) is Google. I have been completely Google free for 1-2 years now (with the exception of YouTube on iOS, as the alternatives ultimately require a Mac to install, which I donāt have), but I havenāt used Google as a search engine in over 4 years. Besides trying to give as little information as possible (I am currently experimenting with setting up a hard firewall block against their IP addresses, if you have any recommendations on how that could be automated, potentially in Python, please let me know), I also try to give as little information to other companies (Microsoft, etc.) as I can. Now, certain authorities have the permission to request data from companies, not just privacy disrespecting ones. That means that part of my threat model entails certain defenses against such agencies, to make it hard enough to correlate that data with my person. I donāt go overboard, in case anyone is worried. Iāve seen the bondage between paranoia and privacy, and Iāve set myself clear boundaries I wonāt cross. So, my main goal is to protect against companies trying to collect my data (bleh, how cliche), but it doesnāt hurt to put in place some decent practices in case the world turns for the worst. I am protecting against attacks from the government towards low hanging fruit, but when it comes to large corporations, I donāt play nice.
If you want an overview of my setup, here it is:
Tails occasionally (because itās fun)
SecureBlue (Soon!)
Tor Browser when using personal accounts (email, Lemmy, etc.)
ProtonVPN on all devices 24/7 except when using Tor (for speed) or large downloads/torrents (may look into Mullvad VPN)
Mullvad browser as a default browser
Librewolf for functionality Mullvad Browser doesnāt have (Yubikeys, etc.)
Firefox for streaming some videos that require a specific DNS configuration (Soon looking into how to put an extreme sandbox on it)
uBlock Origin for all browsers
GrapheneOS (Soon, finances be blessed)
ProtonMail + Anonaddy, use disposable emails for accounts that ādonāt matterā
Very, very strong and unique passwords + 2FA/FIDO for everything applicable
As much FOSS software as I can
Signal as my main messenger (to help bridge the gap for my friends) until GrapheneOS, then SimpleX (Please take a look at privacyspreadsheet.com/messaging-apps !)
SearXNG as my main search engine (with Google turned on, because my threat model does not go against them collecting data not correlated with me)
Bitwarden as my password manager until GrapheneOS, then KeePass
NextDNS as my DNS resolver (which gets overridden by the VPNās DNS on iOS)
Iāve come a long way since I first (unknowingly) started my journey in 2019(!)
itās worth reviewing what Privacy Guides has to say on this.
Interesting! Considering my threat model includes my ISP as an enemy, it would make sense for me to use a VPN behind Tor: However my threat model doesnāt care if my ISP knows I am using Tor, as it would only be collecting data uncorrelated with my activities. Although it could cause legal trouble if a presidential threat (for example) over Tor happened at the same time as my usage of Tor. The change I will make is this: I will resume my current usage until I am able to use a paid VPN plan to speed it up.
but please consider to review Proton VPN on port forwarding
See above, no paid plan yet ;)
Unfortunately, at least for torrents, youāre no longer able to rely on Mullvad VPN.
Bleh, and I was really beginning to like them for allowing cash payments!
Easiest (and also one of the best options) is probably the use of a VM š .
Fair, although didnāt GNOME Boxes have some sandboxing issues?
there is merit in forsaking Anonaddy for SimpleLogin if decreasing the amount of trusted parties is desired. However, this comes at the cost at moving more into the the direction of putting all your eggs in one basket.
I am using Anonaddy for that reason specifically, plus the severe lack of features in SimpleLoginās free version.
I hope an offline password manager is involved to some capacity.
As mentioned, I will switch to KeePass soon. Some of my passwords are stored completely offline, however. Pen and paper never fails, I even dedicated a specific pen for it! On a related note, take a look at this
Do you happen to know how they currently fare against each other in security/privacy features (beyond whatās found on the linked spreadsheet)?
Once I get an Android phone, I will try out Briar (because I am obsessed with the idea). I personally reached out to SimpleX regarding the spreadsheet, and the response I received back outlined that SimpleX pads the encrypted messages both during transit and in cold storage, which they said a lot of other messengers donāt do. A comment on the original post for the spreadsheet mentions that the spreadsheet doesnāt outline which services route through Tor (which Briar does, of course). The spreadsheet is very thorough, and SimpleX is still a relatively young project, so I donāt have much I can say. Iāve tried using it on iOS, and my friend and I both agree itās terrible to use sometimes due to lag and choppiness. I currently testflight the app, but still no change. Either way, if you want, you can use SimpleXās built-in support chat if you want to reach out to the team yourself. They are very friendly and donāt talk like a CEO, but there can be delayed response.
Ah, weāve found the password manager, KeePass (be it DX/XC) is indeed excellent.
Yep! One related note, KeePass on Tails is outdated for some reason. Have any idea why?
I also planned to add this to my original message: I have never once had a cellular provider, which to me has been the biggest privacy boost since burning Windows at the stake.
That is a very useful tool I overlooked! Thank you!
How does Arch Linux fair as far as privacy and security? Itās private in that it is minimalistic, but that may also mean it lacks in preinstalled security features.
I had installed an app (flatpak) that required the use of my microphone. I knew I had disabled microphone permissions globally in settings, so I went into settings and turned microphone access on. The app successfully used my microphone, but the issue is it doesnāt show up as an app that requested microphone permissions in settings. Further reading showed that sandboxed apps are forced to request microphone access, but unsandboxed apps can freely use the microphone. This led me to believe that the flatpaks I had been installing were not sandboxed. I could be wrong, so some insight would be much appreciated!
Itās been on my to-do list for a while to try. Thank you!
Edit: I think it may be applicable to mention that I have reinstalled Kali 3 times. The first time it broke after an update. The second time is when I learned what a desktop environment was. The third time was when I discovered why seperating /home, /etc, and so on into different partitions is bad if you donāt know what youāre doing. The installer for the third time was repeatedly broken (apps wouldnāt open!), but the netinstaller resolved the issue.
No telemetry and good sandboxing by default are the main two things I am looking for in terms of privacy. As GravitySpoiled has mentioned, Arch isnāt an āinstall and forget about itā distro, which is another thing I would look for if it were to be my main OS. If you have any suggestions based on that, please let me know!
If Tails wasnāt amnesiac and implemented strong sandboxing, it would be perfect for me. Whonix has been (very, VERY) slowly developing their own independent ISO, which I will be quick to try when (after an eternity) it releases to the public.
There is something almost identical in the settings app, is it different from that? Also, is there a way I can check which apps are/arenāt sandboxed? Thank you!
I looked into flatseal, and I am incredibly happy with it, it instantly made me feel much better about my digital hygiene. As for GNOME flatpak settings, there are some toggles, but only minimal (notifications, background, etc.)
@loganb, that has to be one of the most helpful suggestions for an app Iāve received since I first used Linux. Truly, thank you!
I could make a list of all the things I would want in a distro as far as privacy, but a lot of them arenāt as important as sandboxing and (obviously) a system that doesnāt actively make your privacy life hell. Other features would be better clipboard management (Tails and Qubes do a great job with that), no obvious gaps in security/privacy, a system that you donāt have to build yourself, etc.
I think Iāve used Fedora more than I have Mint, but I have been completely Windows free for years now!
I believe I may have live booted it once (when I needed to perform an action that live booting with Ubuntu couldnāt do), and I really enjoyed the look and feel of it for the short time I used it.
Or it was a different one, but letās just assume it was Alpine ;)
Oddly enough, at the time only having installed a few Linux distros in my life, Qubes OS was very easy to install and ran just fine on my medium-grade hardware. Lots of people mention having problems with it, but I got really lucky it seems. Thanks for your suggestion!
Thank you very much for your detailed response! Iām comfortable pushing the boundaries of a normal operating system (I kind of have to, Iām a programmer, after all!) but I wouldnāt consider myself a power user.
Searching for a Linux distro
cross-posted from: lemmy.ml/post/12400033 (Thank you lemmy.ml/u/Kory !)...
Searching for a Linux distro
I first used Linux about 5 years ago (Ubuntu). Since then, I have tried quite a few distros:...