security What is the best Linux for security?

[SupersonicSaint]

Hello,

 

I am a fool who uses Windows 10 with Tor (Opera when I want speed) and VeraCrypt, expecting quality security. Now the revelation of my blindness has come and I wish to improve the security of my PC so have researched and narrowed my decision down to using these softwares in conjunction:

 

• Linux
• Virtual machine (Virtual Box)
• Whonix (Debian GNU/Linux based high security OS)

 

The problem is that I do not know which Linux is both easy to use yet secure (Ubuntu?) or does it not matter because I will be using Whonix? Any answers are greatly appreciated and if you have any alternatives or a simple guide for installation I would be massively grateful as everything looks SO COMPLICATED TO INSTALL) I will still use Windows 10 in a dual boot for gaming once I figure that out.

 

Thank you, very, very, very much.

 

 

[Nettly_]

Kali Linux is not the easiest to install but was built for pure security. 

If you want pure awesomeness in security, FreeBSD is good but it is a pain to install compared to some Linux distros

 

Edit: Never mind I am just stupid lol

[Sauron]

1 minute ago, SafyreLyons-5LT said:

Kali Linux is not the easiest to install but was built for pure security.

I'm sorry but this is completely wrong. Kali is designed for penetration testing, not for security of your own system (arguably the exact opposite). Furthermore it's not intended to be installed on a normal system, it should only be used as a live environment to carry around.

 

@SupersonicSaint most normal Linux distributions will be equally secure, however you will need to do some serious configuration if you're truly intent on maximizing security. Start with Fedora and SELinux.

 

Whonix is a Linux distro just like the others, the website suggests to run it in a virtual machine though so you'd have to use another distribution as a base. I don't think you actually need all this stuff though. Using Tor correctly on a Linux system is already good enough to hide your browsing habits.

[Nettly_]

2 minutes ago, Sauron said:

I'm sorry but this is completely wrong. Kali is designed for penetration testing,

AHHHH I felt like I was wrong, didn't know if I was, my bad! thanks for telling me I was wrong.

[SupersonicSaint]

2 minutes ago, Sauron said:

I'm sorry but this is completely wrong. Kali is designed for penetration testing, not for security of your own system (arguably the exact opposite). Furthermore it's not intended to be installed on a normal system, it should only be used as a live environment to carry around.

 

@SupersonicSaint most normal Linux distributions will be equally secure, however you will need to do some serious configuration if you're truly intent on maximizing security. Start with Fedora and SELinux.

 

Whonix is a Linux distro just like the others, the website suggests to run it in a virtual machine though so you'd have to use another distribution as a base. I don't think you actually need all this stuff though. Using Tor correctly on a Linux system is already good enough to hide your browsing habits.

Thank you for the reply,

 

So essentially I can skip out Whonix entirely and just use Linux with Tor? (Fedora and SELinux are different versions of Linux no? I don't know much about Linux sorry.) 

[Sauron]

Just now, SupersonicSaint said:

Thank you for the reply,

 

So essentially I can skip out Whonix entirely and just use Linux with Tor? (Fedora and SELinux are different versions of Linux no? I don't know much about Linux sorry.) 

I mean... it depends on what you're doing but unless you're literally running from the government and there's a bounty on your head you most likely don't need any extra layers of privacy.

 

Fedora is a Linux distribution. Linux is what's called a kernel, it's a base on which an operating system can be built; distributions are those operating systems. SELinux is a version of the Linux kernel that includes some advanced security features. Since it's just the kernel it can be used with various distributions and Fedora is one of the easier distributions to get it running on. It's quite complex to set up properly though so as I said, unless you're in dire need of it you probably shouldn't bother.

[SupersonicSaint]

5 minutes ago, SafyreLyons-5LT said:

AHHHH I felt like I was wrong, didn't know if I was, my bad! thanks for telling me I was wrong.

Thank you nevertheless. I'm not doing anything illegal so I don't need absolute invisibility to the maximum degree. I just don't want to be tracked and spied on with corporations and the government knowing about my searches, location and downloads.

[Nettly_]

1 minute ago, SupersonicSaint said:

I just don't want to be tracked and spied on with corporations and the government knowing about my searches, location and downloads.

Soooooo every Linux distro, use firefox/tor, duckduckgo instead of Google, and then you are basically hidden but not on the radar.

[SupersonicSaint]

3 minutes ago, Sauron said:

I mean... it depends on what you're doing but unless you're literally running from the government and there's a bounty on your head you most likely don't need any extra layers of privacy.

 

Fedora is a Linux distribution. Linux is what's called a kernel, it's a base on which an operating system can be built; distributions are those operating systems. SELinux is a version of the Linux kernel that includes some advanced security features. Since it's just the kernel it can be used with various distributions and Fedora is one of the easier distributions to get it running on. It's quite complex to set up properly though so as I said, unless you're in dire need of it you probably shouldn't bother.

I don't want to be tracked, monitored, have my downloads searched or my location spied on. I don't do anything illegal or I wouldn't be asking on Linus Tech Tips lol. As long as those measures are met I will do the simplest path.

[SupersonicSaint]

1 minute ago, SafyreLyons-5LT said:

Soooooo every Linux distro, use firefox/tor, duckduckgo instead of Google, and then you are basically hidden but not on the radar.

Well duckduckgo is the search engine of Tor. I just read that Tor has issues with exit nodes that comprise security and not all Linux are secure or they don't have much support/extensions and customisation.

[Sauron]

Just now, SupersonicSaint said:

I don't want to be tracked, monitored, have my downloads searched or my location spied on. I don't do anything illegal or I wouldn't be asking on Linus Tech Tips lol. As long as those measures are met I will do the simplest path.

Tor takes care of that, at least as far as normal internet browsing goes, but you need to be careful on how you use it; for example logging in to anything will reveal who you are for the entire session. Using a linux distribution ensures you won't be sharing your system information against your will, but for example updates won't be passed through tor unless you use something like whonix or configure a tor proxy yourself; that doesn't mean your ISP will know what you're downloading but they will know what servers you're contacting. To be completely honest, I don't think you need to care about that at all but ultimately it's up to you - though if you intend to use Windows I take it you don't mind.

[SupersonicSaint]

5 minutes ago, Sauron said:

Tor takes care of that, at least as far as normal internet browsing goes, but you need to be careful on how you use it; for example logging in to anything will reveal who you are for the entire session. Using a linux distribution ensures you won't be sharing your system information against your will, but for example updates won't be passed through tor unless you use something like whonix or configure a tor proxy yourself; that doesn't mean your ISP will know what you're downloading but they will know what servers you're contacting. To be completely honest, I don't think you need to care about that at all but ultimately it's up to you - though if you intend to use Windows I take it you don't mind.

Ah, thank you for the information. It seems I was overthinking things entirely then. I will simply use the suggested Linux and Tor without logging into anything with my email, though I was told Tor "was infiltrated and compromised by the ThreeLetterAgencies on Day One."

[Sauron]

6 minutes ago, SupersonicSaint said:

though I was told Tor "was infiltrated and compromised by the ThreeLetterAgencies on Day One."

Oh I think whoever told you that 1) doesn't know what they're talking about and 2) has at least 5 layers of tin foil on their head.

 

Tor can't be "infiltrated" simply due to the way it works. It is possible to identify Tor users but the protocol itself has never been broken and those who were caught trying to hide crimes with it (after lengthy and costly investigation) were given away by their own mistakes. To avoid tracking and hiding your traffic from your ISP it's more than adequate.

[SupersonicSaint]

12 minutes ago, Sauron said:

Oh I think whoever told you that 1) doesn't know what they're talking about and 2) has at least 5 layers of tin foil on their head.

 

Tor can't be "infiltrated" simply due to the way it works. It is possible to identify Tor users but the protocol itself has never been broken and those who were caught trying to hide crimes with it (after lengthy and costly investigation) were given away by their own mistakes. To avoid tracking and hiding your traffic from your ISP it's more than adequate.

Oh haha he is a security nerd which really made me believe I was way too transparent. I have PIA VPN which doesn't log so I will use that also. You have been great help! 

 

I do hope CAD softwares work fine on Linux though.

[Sauron]

3 minutes ago, SupersonicSaint said:

I do hope CAD softwares work fine on Linux though.

well, autocad doesn't but there are some alternatives https://itsfoss.com/cad-software-linux/

[SupersonicSaint]

8 minutes ago, Sauron said:

well, autocad doesn't but there are some alternatives https://itsfoss.com/cad-software-linux/

Well I guess I will need to dual boot my PC using Linux most of the time and swapping to Windows only to access Steam, Epic Games and the CAD softwares I use personally. Hopefully that won't be a performance hit or a security risk but hey, CAD and gaming isn't criminal... I think

[Sauron]

41 minutes ago, SupersonicSaint said:

Well I guess I will need to dual boot my PC using Linux most of the time and swapping to Windows only to access Steam, Epic Games and the CAD softwares I use personally. Hopefully that won't be a performance hit or a security risk but hey, CAD and gaming isn't criminal... I think

I mean, you could just use a virtual machine for web browsing if that's all you want Linux for.

[Guest]

-

[Wild Penquin]

IMO it's not so much about what distribution is most secure, it's about how you configure the installation and how / for what you use it for. The biggest security risk is in front of the keyboard and mouse!

 

In my opinion you can forget to use a VM for security (probably in your use case). A VM can be useful in case you want to do something potentially insecure within the VM, or test something for security (or create honeypots and whatnot). That way, potential breaches and issues might be confined within that VM. Remember: anything inside the VM should be considered compromised if the host is compromised, so this does not work the other way around!

 

Dual booting is also a security feature for automated breaches (viruses, worms and such) since they are (usually/probably!) not aware of any dual-bootable other  OSes. However, were there a rootkit on any of the OSes and some human hacker contacting the compromised computer, it is trivial for them to install another rootkit to the other (non-booted) OS (unless you have encrypted the system and have some external key needed for the whole bootup chain!).

 

Some distributions are more geared towards a server usage, so they might be more stable and/or get more security patches. But that does not necessarily mean they are more secure for any usage: their web browser might be older, which from security point it might even be the opposite. Their Kernel might have more security-oriented patches backported than your average distribution, and some services (such as Apache and whatnots) patched up promptly after vulnerabilities are found (this is mostly some gut feels I got; I don't maintain any servers).

 

In conclusion: to be secure, you need to think about your use case, and then do some of your own research. One sensible approach is to separate insecure stuff from secure (i.e. don't go to shady Pr0n sites with the same browser session, or even the same user, with which you do important stuff with - you may take this to an extreme and even use a separate OS installation. Just keep in mind what I said about VMs and dual-booting earlier!).

 

Also, security is a double-edged thing. For example: there is loads of illegal activities in the Tor network, but also journalists and human rights activists in countries which are ... problematic for these people. It's not about the tools but how (for what) you use them.

 

EDIT: Whonix and Tails are definitely good suggestions if your main concern is browsing as anonymously / securely as possible! Limit the sessions to the stuff you actually want to be secure, and only that. Don't use any accounts which could be connected to your identity within / from them!

[Wild Penquin]

Also, another advice: I tried to find via Google a journalists/human rights activist from somewhere South-America, who was having an anonymous blog and writing activities about the local mafia (IIRC - my memory is vague!). However, he/she was not as anonymous as he/she thought he/she was, because of using Google Analytics (intentionally or unintentionally with the same user ID).

 

I did find this: https://www.wired.com/2011/11/goog-analytics-anony-bloggers/ (but this is another case; I'm certain there was this another person who really got killed because wrong people found out his/her identity - still, the underlying service / issue is the same).

 

So: depending on whatever you have in mind, doing stuff anonymously online might not be that easy. Some things have nothing to do with the OS you are using. Also think about the IP addresses your activities leave behind (if you do anything outside Tor, this might be an issue), what E-mail addresses you use and for what (for registration for example), and which services you use / log in online! Because of login / service provider congregation, someone might be able to connect your anonymous activities to your identity, if you are not careful (enough).

 

These are some things I would consider, in case I needed (or ever need) to stay anonymous!

[SupersonicSaint]

On 7/10/2019 at 2:15 PM, Wild Penquin said:

IMO it's not so much about what distribution is most secure, it's about how you configure the installation and how / for what you use it for. The biggest security risk is in front of the keyboard and mouse!

 

In my opinion you can forget to use a VM for security (probably in your use case). A VM can be useful in case you want to do something potentially insecure within the VM, or test something for security (or create honeypots and whatnot). That way, potential breaches and issues might be confined within that VM. Remember: anything inside the VM should be considered compromised if the host is compromised, so this does not work the other way around!

 

Dual booting is also a security feature for automated breaches (viruses, worms and such) since they are (usually/probably!) not aware of any dual-bootable other  OSes. However, were there a rootkit on any of the OSes and some human hacker contacting the compromised computer, it is trivial for them to install another rootkit to the other (non-booted) OS (unless you have encrypted the system and have some external key needed for the whole bootup chain!).

 

Some distributions are more geared towards a server usage, so they might be more stable and/or get more security patches. But that does not necessarily mean they are more secure for any usage: their web browser might be older, which from security point it might even be the opposite. Their Kernel might have more security-oriented patches backported than your average distribution, and some services (such as Apache and whatnots) patched up promptly after vulnerabilities are found (this is mostly some gut feels I got; I don't maintain any servers).

 

In conclusion: to be secure, you need to think about your use case, and then do some of your own research. One sensible approach is to separate insecure stuff from secure (i.e. don't go to shady Pr0n sites with the same browser session, or even the same user, with which you do important stuff with - you may take this to an extreme and even use a separate OS installation. Just keep in mind what I said about VMs and dual-booting earlier!).

 

Also, security is a double-edged thing. For example: there is loads of illegal activities in the Tor network, but also journalists and human rights activists in countries which are ... problematic for these people. It's not about the tools but how (for what) you use them.

 

EDIT: Whonix and Tails are definitely good suggestions if your main concern is browsing as anonymously / securely as possible! Limit the sessions to the stuff you actually want to be secure, and only that. Don't use any accounts which could be connected to your identity within / from them!

This is the most in depth answer... I have ever received on ANYTHING. 

 

Thank you.

 

I know it is not what you meant but can your OS track what you are typing (yes) and share that to sources that identify your activity no matter what OS you use? (unsure)

 

It seems the best solution is to continue to use Windows as it easily supports most applications then booting up Tails so that everybody and the Pope doesn't see my BDSM playlist or me watching a man dance on top of the president So long as I don't log into or type anything about myself.

 

Can I, and if so, download files onto Tails as it's from two USB sticks? I assume the larger the USBs the better but which USB would the files even be installed on! Or will it just save to Window's and I will just have to use Veracrypt (bloody new UK porn ban )

 

Is it okay to use Tails on my existing gaming machine (PLUG! https://pcpartpicker.com/b/TCKBD3) or do I... have to buy a laptop and use it on that to keep it seperate? If so PRIVACY IS NOT CHEAP! O-0

 

FYI it makes no sense how a laptop can cost vastly more than a console of similar performance.

 

Thanks again ~

[wasab]

https://en.m.wikipedia.org/wiki/Damn_Vulnerable_Linux

 

So secure 

[SupersonicSaint]

11 minutes ago, wasab said:

https://en.m.wikipedia.org/wiki/Damn_Vulnerable_Linux

 

So secure 

This is actually hilarious. Imagine building someone a PC with this OS

[caincha]

On 7/10/2019 at 6:11 AM, Oso Sin Nombre said:

Tails ----> https://tails.boum.org/

Seconded!